AW: Package URLs for Apache Tomcat distributions

[Thomas Hoffmann (Speed4Trade GmbH)]

 
> On 11/04/2024 16:52, von Loewenstein, Jan wrote:
> > Hi folks,
> >
> > I am part of the Paketo community, and we are providing Cloud Native
> Buildpacks to create container images with – amongst other technologies –
> Apache Tomcat and Apache TomEE as application runtimes.
> >
> > One of the features of Cloud Native Buildpacks is that images come with
> Software-Bill-of-Material. When installing Apache Tomcat, we issue the
> following CPE and pURL to the SBOM:
> >
> >1.  cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
> >2.  pkg:generic/apache-tomcat@10.1.20
> >
> > The former should be the right one for users to find relevant CVEs in
> > e.g. the nvd.nist.gov. The latter however is made up and will likely
> > not lead to any findings on e.g. https://osv.dev
> >
> > Now I am wondering if you report Tomcat vulnerabilities under any pURL and
> which one that would be.
> 
> We don't.
> 
> > There is a proposal spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to
> introduce `pkg:apache` as a namespace, which would open up
> `pkg:apache/tomcat@10.1.20` as a canonical pURL.
> 
> That is a foundation wide decision and not one the Tomcat project can make
> unilaterally. That is probably a topic for security-
> disc...@community.apache.org where pURL has already been touched on this
> thread:
> https://lists.apache.org/thread/7hs5ooqhfozmhlvq24k5xztzn1nwp9yv
> 
> Mark

This topic might get even more important when the cyber resilience act of the 
European Union will be released.
Software manufacturers will be obliged to provide an inventory / SBOM list.
https://medium.com/@interlynkblog/eu-cra-and-sbom-5100c55752fa#:~:text=The%20CRA%20text%20implies%20that,regulators')%20and%20product%20manufacturers.
  



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: NoClassDefFoundError for SSL operations

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Simon,

> -Ursprüngliche Nachricht-
> Von: Simon Arame 
> Gesendet: Donnerstag, 22. Februar 2024 18:06
> An: users@tomcat.apache.org
> Betreff: NoClassDefFoundError for SSL operations
> 
> We have Tomcat 9.0.81 running under OpenJDK 1.8.0_402-b06
> 
> Since the latest OpenJDK upgrade we get some errors when trying to perform
> SSL Operations like obtaining the bytes of an HTTPS url or sending an email
> through SMTP with TLS on.
> 
> Note that with the same jdk, those operations succeed when run directly with
> java outside of Tomcat.
> 
> The top of the stack traces always has org/bouncycastle/asn1/x9/X9Curve as
> "class not found".
> 
> Here is the stack trace for a regular smtp email send failed attempt:
> 
> java.lang.NoClassDefFoundError: org/bouncycastle/asn1/x9/X9Curve
> at org.bouncycastle.asn1.x9.X9ECParameters.toASN1Object(Unknown
> Source)
> at org.bouncycastle.asn1.ASN1Encodable.getDERObject(Unknown Source)
> at org.bouncycastle.asn1.x9.X962Parameters.(Unknown Source)
> at org.bouncycastle.jce.provider.JCEECPublicKey.getEncoded(Unknown
> Source)
> at
> org.bouncycastle.jce.provider.JCEECPrivateKey.getPublicKeyDetails(Unknown
> Source)
> at org.bouncycastle.jce.provider.JCEECPrivateKey.(Unknown
> Source)
> at
> org.bouncycastle.jce.provider.asymmetric.ec.KeyPairGenerator$EC.generateKey
> Pair(Unknown
> Source)
> at
> sun.security.ssl.ECDHKeyExchange$ECDHEPossession.(ECDHKeyExchange.j
> ava:128)
> at
> sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.pro
> duce(ECDHClientKeyExchange.java:392)
> at
> sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientK
> eyExchange.java:65)
> at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
> at
> sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHe
> lloDone.java:182)
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
> at
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
> at
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
> at
> sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401)
> at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
> at
> com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:602)
> at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:529)
> at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2135)
> at
> com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:734)
> at javax.mail.Service.connect(Service.java:364)
> at javax.mail.Service.connect(Service.java:222)
> at javax.mail.Service.connect(Service.java:171)
> 
> 
> and the stack trace while trying to obtain an HTTPS url with jersey-client
> org/bouncycastle/asn1/x9/X9Curve
> at
> org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:312)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.ja
> va:675)
> at
> org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocati
> on.java:691)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.jav
> a:390)
> at
> org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691
> )
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:674)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java
> :422)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:318
> )
> 
> 
> I asked for an upgrade of tomcat from 9.0.81 to to 9.0.86 and am waiting to 
> see
> if this will resolve our problems. Any advice or links/reports on that problem
> would be appreciated.
> 
> Simon

Bouncycastle is a 3rd party library. It has nothing to do with Tomcat, nor the 
JDK.
Check were you reference the bouncycastle class.
You someone has edited the java.security file within the JDK.

If you are on linux, you can also grep for any references.

Greetings, Thomas

AW: TOMCAT CERTIFICATE RENEWAL

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Ganesan,

> -Ursprüngliche Nachricht-
> Von: Ganesan, Prabu 
> Gesendet: Montag, 19. Februar 2024 08:41
> An: Tomcat Users List 
> Betreff: RE: TOMCAT CERTIFICATE RENEWAL
> 
> Hi  Tomas
> 
> Thanks for your information - its jks file do we have any specific command to
> pass them for renew the certificate?

You have several options:
1) use a tool like https://keystore-explorer.org/
2) fiddle around with the command line tool "keytool"
3) Change to pem files and modify the server.xml accordingly.
See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html for more 
information

> 
> Thanks & Regards,
> _
> PrabuGanesan
> Consultant|MS-Nordics
> capgemini India Pvt. Ltd. | Bangalore
> Contact: +91 8526554535
> Email: prabhu.c.gane...@capgemini.com
> 
> www.capgemini.com
> People matter, results count.
> __
> Connect with Capgemini:
> 
> 
> Please consider the environment and do not print this email unless absolutely
> necessary.
> Capgemini encourages environmental awareness.
> 
> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Monday, February 19, 2024 12:49 PM
> To: Tomcat Users List 
> Subject: AW: TOMCAT CERTIFICATE RENEWAL
> 
> **This mail has been sent from an external source. Do not reply to it, or
> open any links/attachments unless you are sure of the sender's
> identity.**
> 
> Hello Ganesan,
> 
> > Von: Ganesan, Prabu 
> > Gesendet: Montag, 19. Februar 2024 08:07
> > An: Tomcat Users List 
> > Betreff: TOMCAT CERTIFICATE RENEWAL
> > Priorität: Hoch
> >
> > Hi Guys,
> > How to renew the certificate in Tomcat Can anyone provide with steps as we
> have Our tomcat certificate is about to expire in Next week, Anybody can help
> with  renew steps:
> > Tomcat version : 8.5.5.0
> > Thanks & Regards,
> > _
> > PrabuGanesan
> > Consultant|MS-Nordics
> > capgemini India Pvt. Ltd. | Bangalore
> > Contact: +91 8526554535
> 
> Take a look at the server.xml and inspect the https connector.
> There should be a reference to the key file and certificate-file.
> Depending on the used format (pem, jks etc) you need to update these files.
> 
> Greetings,
> Thomas
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> This message contains information that may be privileged or confidential and
> is the property of the Capgemini Group. It is intended only for the person to
> whom it is addressed. If you are not the intended recipient, you are not
> authorized to read, print, retain, copy, disseminate, distribute, or use this
> message or any part thereof. If you receive this message in error, please 
> notify
> the sender immediately and delete all copies of this message.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: TOMCAT CERTIFICATE RENEWAL

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Ganesan,

> Von: Ganesan, Prabu  
> Gesendet: Montag, 19. Februar 2024 08:07
> An: Tomcat Users List 
> Betreff: TOMCAT CERTIFICATE RENEWAL
> Priorität: Hoch
>
> Hi Guys,
> How to renew the certificate in Tomcat Can anyone provide with steps as we 
>have Our tomcat certificate is about to expire in Next week, Anybody can help 
>with  renew steps:
> Tomcat version : 8.5.5.0
> Thanks & Regards,
> _
> PrabuGanesan
> Consultant|MS-Nordics
> capgemini India Pvt. Ltd. | Bangalore 
> Contact: +91 8526554535

Take a look at the server.xml and inspect the https connector.
There should be a reference to the key file and certificate-file.
Depending on the used format (pem, jks etc) you need to update these files.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Cannot Start Tomcat Windows Service_01/21/24

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> Von: support  
> Gesendet: Sonntag, 21. Januar 2024 20:59
> An: users@tomcat.apache.org
> Betreff: Cannot Start Tomcat Windows Service_01/21/24
>
> I receive the Windows error below every time I try to start the Tomcat 
> Windows service after modifying the server.xml file to require TLS. I used 
> the instructions below and other online sources to find the proper syntax to 
> modify > > server.xml. Nothing has worked. I used the keytool commands to 
> create my own keystore and self-signed certificate.   
>  
> Instructions 
> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html 
>  
> Key Information 
> keytool -genkeypair -alias  -keyalg RSA -validity 1095 -keystore 
> "C:\Program Files\Apache Software Foundation\Tomcat 
> 9.0_Tomcat9.0.85\conf\Certificates\" 
>  
> Software Information 
> OS: Windows 10 and Windows Server 2019 
> Java: JDK (build 1.8.0_391-b13) 
> Apache Tomcat: Version 9.0.85 
>  

please provide the log file messages.
There should be more information in \logs

Greetings, Thomas

AW: 400 Bad Request - where do I find the detailed reason for the bad request so I can fix it?

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Graham,

> -Ursprüngliche Nachricht-
> Von: Graham Leggett 
> Gesendet: Dienstag, 28. November 2023 20:12
> An: Tomcat Users List 
> Betreff: Re: 400 Bad Request - where do I find the detailed reason for the
> bad request so I can fix it?
> 
> On 28 Nov 2023, at 18:42, Christopher Schultz 
> wrote:
> 
> > In your debugger, when you break-on-exception, what happens if you
> allow the exception to propagate up to the first exception-handler? Does
> Tomcat swallow the exception? Or it it caught elsewhere?
> 
> The exception eventually ends up inside ErrorReportValve, but I’m
> debugging a remote box and don’t have any of the source code tied up - will
> do further digging.
> 
> > When you say you have an "unmarshalling problem"... do you mean in your
> own application? Or something in Tomcat? (I can't think of anything in Tomcat
> we'd call "unmarshalling", but I figure I'd ask.)
> 
> I’m in dependency hell - java8 to java17, JAXB as used by Jersey2 broke. No
> idea why, but an internal Oracle implementation is hardcoded somewhere.
> 
> java.lang.ClassNotFoundException: oracle.xml.jaxp.JXSAXParserFactory

I think you got trapped in the javax-jakarta hell after upgrading.
As a general recommendation, you should upgrade all libraries in your app.
Mostly all new versions have switched to using Jakarta.

Do you use and build system like gradle or maven? 
They should take care of the new dependencies. Otherwise you have to look it up.

If some libraries don’t support Jakarta package yet, you have to add the legacy 
jaxb libs:
https://mvnrepository.com/artifact/com.sun.xml.bind/jaxb-impl

> Regards,
> Graham
> —

AW: AW: FileUpload class not working with Tomcat 10.1

[Thomas Hoffmann (Speed4Trade GmbH)]

Hi Mark!

> -Ursprüngliche Nachricht-
> Von: Mark Foley 
> Gesendet: Dienstag, 14. November 2023 18:20
> An: users@tomcat.apache.org
> Betreff: Re: AW: FileUpload class not working with Tomcat 10.1
> 
> On Tue Nov 14 01:46:09 2023 "Thomas Hoffmann (Speed4Trade GmbH)"
>  wrote:
> >
> > Hello Mark,
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Mark Foley 
> > > Gesendet: Montag, 13. November 2023 23:12
> > > An: users@tomcat.apache.org
> > > Betreff: Re: AW: FileUpload class not working with Tomcat 10.1
> > >
> > > On Mon Nov 13 02:18:49 2023 "Thomas Hoffmann (Speed4Trade GmbH)"
> > >  wrote:
> > > > Hello,
> > > >
> > > > > -Ursprüngliche Nachricht-
> > > > > Von: Mark Foley 
> > > > > Gesendet: Sonntag, 12. November 2023 19:04
> > > > > An: users@tomcat.apache.org
> > > > > Betreff: Re: FileUpload class not working with Tomcat 10.1
> > > > >
> > > > > On Fri Nov 10 15:57:50 2023 Christopher Schultz
> > > > >  wrote:
> > > > > >
> > > > > > Mark,
> > > > > >
> > > > > > On 11/10/23 12:53, Mark Foley wrote:
> > > > > > > On Fri, 10 Nov 2023 17:11:59 Mark Thomas  > > wrote:
> > > > > > >>
> > > > > > >> On 10/11/2023 16:49, Mark Foley wrote:
> > > > > > >>> I recently upgraded from Tomcat 10.0.17 to 10.1.13.  ...
> > > > > > >>>
> > > > > > >>> [deleted]
> > > > > >
> > > > > I've put your suggested code in place.
> > > > >
> > > > > <%@ page import="jakarta.servlet.http.Part" %>
> > > > >
> > > > > I replaced your:
> > > > >
> > > > >   throw new IllegalStateException("Expected multi-part");
> > > > >
> > > > > with:
> > > > >
> > > > > out.println("Expected multi-part");
> > > > >
> > > > > Just to get things compiling OK.  I'll deal with errors later.
> > > > > With that change, it compiled w/o problem.  I then attempted an
> > > > > upload.  The
> > > line:
> > > > >
> > > > >if(null == contentType ||
> > > > > !contentType.startsWith("multipart/form-data;"))
> > > > > {
> > > > >
> > > > > returned TRUE so it did detect a multipart upload. Yay! That was
> > > > > a relief However
> > > > >
> > > > >Part fileUpload = request.getPart("param-name");
> > > > >
> > > > > Gave me the error:
> > > > >
> > > > > java.lang.IllegalStateException: Unable to process parts as no
> > > > > multi-part configuration has been provided
> > > > >
> > > > > So, what does it mean that "no multi-part configuration has been
> > > provided"?
> > > > > Is "param-name" something I'm supposed to fill in? I tried
> > > > > substituting the  field name, "taxResults",
> > > > > but that
> > > gave the same error.
> > > >
> > > > The form element must have the attribute enctype="multipart/form-
> > > data".
> > > > Furthermore, the servlet must be annotated by "@MultipartConfig"
> > > >
> > > > I think for jsp files, there is a similar setting in the web.xml.
> > > > This link might help out:
> > > > https://stackoverflow.com/questions/37965890/add-annotation-to-jsp
> > >
> > > Thanks for your reply Thomas.
> > >
> > > I've checked your suggested link and I have no idea where to put all
> > > that  stuff.  Furthermore, the poster of that issue didn't say
> > > he got it working.
> > >
> > > A respnder to the post said, "Actually every jsp file will be
> > > converted to servlet because tomcat can only address servlet and so
> > > every jsp file is indirectly a servlet and has all the features of
> > > it". I think he is suggesting that the  code is superfluous, but not
> exlpicitly stated as such.
> > >
> > > I am getting a TRUE return for
> > >
> > >   if(null == contentType ||
> > 

AW: AW: FileUpload class not working with Tomcat 10.1

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Mark,


> -Ursprüngliche Nachricht-
> Von: Mark Foley 
> Gesendet: Montag, 13. November 2023 23:12
> An: users@tomcat.apache.org
> Betreff: Re: AW: FileUpload class not working with Tomcat 10.1
> 
> On Mon Nov 13 02:18:49 2023 "Thomas Hoffmann (Speed4Trade GmbH)"
>  wrote:
> > Hello,
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Mark Foley 
> > > Gesendet: Sonntag, 12. November 2023 19:04
> > > An: users@tomcat.apache.org
> > > Betreff: Re: FileUpload class not working with Tomcat 10.1
> > >
> > > On Fri Nov 10 15:57:50 2023 Christopher Schultz
> > >  wrote:
> > > >
> > > > Mark,
> > > >
> > > > On 11/10/23 12:53, Mark Foley wrote:
> > > > > On Fri, 10 Nov 2023 17:11:59 Mark Thomas  wrote:
> > > > >>
> > > > >> On 10/11/2023 16:49, Mark Foley wrote:
> > > > >>> I recently upgraded from Tomcat 10.0.17 to 10.1.13.  ...
> > > > >>>
> > > > >>> [deleted]
> > > >
> > > I've put your suggested code in place.
> > >
> > > <%@ page import="jakarta.servlet.http.Part" %>
> > >
> > > I replaced your:
> > >
> > >   throw new IllegalStateException("Expected multi-part");
> > >
> > > with:
> > >
> > > out.println("Expected multi-part");
> > >
> > > Just to get things compiling OK.  I'll deal with errors later. With
> > > that change, it compiled w/o problem.  I then attempted an upload.  The
> line:
> > >
> > >if(null == contentType ||
> > > !contentType.startsWith("multipart/form-data;"))
> > > {
> > >
> > > returned TRUE so it did detect a multipart upload. Yay! That was a
> > > relief However
> > >
> > >Part fileUpload = request.getPart("param-name");
> > >
> > > Gave me the error:
> > >
> > > java.lang.IllegalStateException: Unable to process parts as no
> > > multi-part configuration has been provided
> > >
> > > So, what does it mean that "no multi-part configuration has been
> provided"?
> > > Is "param-name" something I'm supposed to fill in? I tried
> > > substituting the  field name, "taxResults", but that
> gave the same error.
> >
> > The form element must have the attribute enctype="multipart/form-
> data".
> > Furthermore, the servlet must be annotated by "@MultipartConfig"
> >
> > I think for jsp files, there is a similar setting in the web.xml.
> > This link might help out:
> > https://stackoverflow.com/questions/37965890/add-annotation-to-jsp
> 
> Thanks for your reply Thomas.
> 
> I've checked your suggested link and I have no idea where to put all that
>  stuff.  Furthermore, the poster of that issue didn't say he got it
> working.
> 
> A respnder to the post said, "Actually every jsp file will be converted to
> servlet because tomcat can only address servlet and so every jsp file is
> indirectly a servlet and has all the features of it". I think he is 
> suggesting that
> the  code is superfluous, but not exlpicitly stated as such.
> 
> I am getting a TRUE return for
> 
>   if(null == contentType || !contentType.startsWith("multipart/form-data;"))
> 
> so I think it is recognizing it as "multipart/form-data;".
> 
> Does anyone have an example of a JSP program with
> jakarta.servlet.http.Part class?
> 
> I'll search for examples as well, but I really have no idea how to proceed.
> 
> --Mark F.
> 

The servlet specification defines the special folder WEB-INF.
Within this folder, there is the configuration file named web.xml.
Within this xml-File, the application is configured including the servlets.
JSP-Files are compiled to servlets, either on-the-fly or during compilation 
time.

I would recommend to take a look at some sample applications to get familiar 
with some java web-applications and the web.xml file.

It is not only about the jsp-file but also the combination with the application 
configuration within the web.xml
Thus you will need both, jsp-file and a corresponding web.xml configuration.

Greetings!
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: FileUpload class not working with Tomcat 10.1

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Mark Foley 
> Gesendet: Sonntag, 12. November 2023 19:04
> An: users@tomcat.apache.org
> Betreff: Re: FileUpload class not working with Tomcat 10.1
> 
> On Fri Nov 10 15:57:50 2023 Christopher Schultz
>  wrote:
> >
> > Mark,
> >
> > On 11/10/23 12:53, Mark Foley wrote:
> > > On Fri, 10 Nov 2023 17:11:59 Mark Thomas  > >>
> > >> On 10/11/2023 16:49, Mark Foley wrote:
> > >>> I recently upgraded from Tomcat 10.0.17 to 10.1.13.  ...
> > >>>
> > >>> [deleted]
> > >>>
> > >>> upgraded to 10.1.13 it is broken again! Here's the error I get:
> > >>>
> > >>> An error occurred at line: [40] in the jsp file:
> > >>> [/schDistImportResults.jsp] The method
> > >>> isMultipartContent(ServletRequestContext) is undefined for the
> > >>> type FileUpload
> > >>
> > >> Tomcat's internal fork of Commons FileUpload isn't intended for
> > >> applications to use. It is not a full fork - just a limited subset
> > >> of the functionality Tomcat needs to implement the Servley upload API.
> > >>
> > >> [deleted]
> > >
> > > My current "basic" implementation is:
> > >
> > > <%@ page import="org.apache.tomcat.util.http.fileupload.*,
> > >  org.apache.tomcat.util.http.fileupload.disk.*,
> > >  org.apache.tomcat.util.http.fileupload.servlet.*,
> > >  org.apache.commons.io.*" %>
> > >
> > > DiskFileItemFactory factory = new DiskFileItemFactory();
> > > ServletFileUpload upload = new ServletFileUpload(factory); List
> > > items = upload.parseRequest(new ServletRequestContext(request));
> > > Iterator iter = items.iterator(); FileItem item = null;
> > >
> > > while (iter.hasNext())
> > > {
> > >  item = (FileItem) iter.next();
> > >
> > >  resultsFile = new File(getServletContext().getRealPath("") +
> > > "/tmp/schTaxResults.txt");
> > >
> > >  try { item.write(resultsFile); }
> > >  catch ( Exception e) { out.println("Exception: " + e); } }
> > >
> > > If you could tell me what the officially prefered Apache Tomcat
> > > FileUpload mechanism is, and what the correct jar and functions are
> > > to accomplish the above, I'd be very grateful!
> >
> >
> > No offense, but the above is horrifying. All that Java code in a JSP
> > makes me cringe. You can do this however you want, but I'd recommend
> > putting Java code into a proper servlet and letting the JSP handle
> > display only.
> >
> > Anyway, I'll get off my soapbox.
> >
> > The easiest thing IMO for you to do is stop trying to parse the upload
> > yourself and use the container. You must have migrated this
> > application forward for like 10 years or something if you are still
> > using a separate library to handle multipart-form-uploads. This has
> > been a part of the code servlet API for some time, now, and you should
> use it:
> 
> This program was originally written 9 years ago and I just monkey-typed the
> original solution from advice and help I found on the web. Likewise, when
> things broke on my upgrade to Tomcat 10.0.17 I got the "how to fix" from
> StackOverflow.
> In short, I've always depended on the kindness of strangers to get this
> Upload mechaism working!
> 
> > import jakarta.servlet.http.Part;
> >
> > ...
> >
> > String contentType = request.getContentType(); if(null == contentType
> > || !contentType.startsWith("multipart/form-data;")) {
> >  logger.warn("Received non-multipart request");
> >
> >  throw new IllegalStateException("Expected multi-part"); }
> >
> > java.io.File tmpDir =
> > (java.io.File)request.getServletContext().getAttribute("javax.servlet.
> > context.tempdir");
> >
> > java.io.File targetFile = new java.io.File(tmpDir,
> > "schTaxResults.txt");
> >
> > Part fileUpload = request.getPart("param-name");
> >
> > if(null != fileUpload) {
> >  fileUpload.write(targetFile.getAbsolutePath());
> > }
> 
> I've removed my "horrifying" code and put your suggested code in place. I
> replaced your:
> 
>   throw new IllegalStateException("Expected multi-part");
> 
> with:
> 
> out.println("Expected multi-part");
> 
> Just to get things compiling OK.  I'll deal with errors later. With that 
> change, it
> compiled w/o problem.  I then attempted an upload.  The line:
> 
>if(null == contentType || !contentType.startsWith("multipart/form-data;"))
> {
> 
> returned TRUE so it did detect a multipart upload. Yay! That was a relief
> However
> 
>Part fileUpload = request.getPart("param-name");
> 
> Gave me the error:
> 
> java.lang.IllegalStateException: Unable to process parts as no multi-part
> configuration has been provided
> 
> So, what does it mean that "no multi-part configuration has been provided"?
> Is "param-name" something I'm supposed to fill in? I tried substituting the
>  field name, "taxResults", but that gave the same error.


The form element must have the attribute enctype="multipart/form-data".
Furthermore, the servlet must be annotated by "@MultipartConfig"

I think for jsp files, there is a similar setting in the web.xml.
This link might 

AW: [External]Re: Tomcat 10 on RHEL 8 with Java 17

[Thomas Hoffmann (Speed4Trade GmbH)]

Hi Chris,

> -Ursprüngliche Nachricht-
> Von: Christopher Bland 
> Gesendet: Mittwoch, 27. September 2023 19:19
> An: Tomcat Users List 
> Betreff: Re: [External]Re: Tomcat 10 on RHEL 8 with Java 17
> 
> Hi Chris,
> 
> I didn’t get the error message.  Tomcat still isn’t starting
> 
> # ./catalina.sh run
> Using CATALINA_BASE:   /usr/local/tomcat
> Using CATALINA_HOME:   /usr/local/tomcat
> Using CATALINA_TMPDIR: /usr/local/tomcat/temp
> Using JRE_HOME:/usr/lib/jvm/java-17-openjdk-17.0.8.0.7-2.el8.x86_64
> Using CLASSPATH:
> /usr/local/tomcat/bin/*:/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomc
> at/bin/tomcat-juli.jar
> Using CATALINA_OPTS:   -XX:+UseG1GC -Xmx3000m
> 
> # ps -ef | grep tomc
> root  104975  104815  0 13:08 pts/000:00:00 grep --color=auto tomc
 
You grep for tomcat. The file starts a java-process. Maybe it doesn’t catch the 
right process.
Could you check whether java processes are running?

Or check "netstat -tulpen" if something is listening on the specified port 
(according to server.xml).


> @Darryl
> 
> Hi Darryl,
> 
> Just checked, permissions look correct
> 
> # ls -ld /var/log/tomcat/ /usr/local/tomcat/logs/ drwxr-x---. 2 tomcat tomcat
> 26 Sep 26 20:14 /usr/local/tomcat/logs/ drwxr-xr-x. 2 tomcat tomcat  6 Sep 26
> 19:48 /var/log/tomcat/
> 
> 
> -Chris
> 
> 
> From: Darryl Baker 
> Date: Wednesday, September 27, 2023 at 12:59 PM
> To: Tomcat Users List 
> Subject: [External]Re: Tomcat 10 on RHEL 8 with Java 17 [You don't often get
> email from darryl.ba...@northwestern.edu. Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification ]
> 
> Chris,
> With no logs at all check the permissions on the log directories and 
> make
> sure that the user Tomcat is running as has write permissions there.  This
> sounds very much like what I ran into my first time setting up Tomcat from
> scratch.
> 
> Darryl Baker, GSEC, GCLD (he/him/his)
> Sr. System Administrator
> Distributed Application Platform Services Northwestern University 4th Floor
> 2020 Ridge Avenue
> Evanston, IL 60208-0801
> darryl.ba...@northwestern.edu 
> (847) 467-6674 
> 
> 
> 
> 
> On 9/27/23, 9:31 AM, "Christopher Bland"  > wrote:
> 
> 
> Hi All,
> 
> 
> I just deployed Tomcat v10.1.13 on a new machine. When I start Tomcat it
> says it has started but I don’t see the daemon running and I don’t have any
> logs. I tried running Catalina.sh directly.
> 
> 
> # ./catalina.sh start
> Using CATALINA_BASE: /usr/local/tomcat
> Using CATALINA_HOME: /usr/local/tomcat
> Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME:
> /usr/lib/jvm/java-17-openjdk-17.0.8.0.7-2.el8.x86_64
> Using CLASSPATH:
> /usr/local/tomcat/bin/*:/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomc
> at/bin/tomcat-juli.jar
> Using CATALINA_OPTS: -XX:+UseG1GC -Xmx3000m Tomcat started.
> 
> 
> Not running – No Daemon + No Logs
> 
> 
> # ./catalina.sh debug
> Using CATALINA_BASE: /usr/local/tomcat
> Using CATALINA_HOME: /usr/local/tomcat
> Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JAVA_HOME:
> /usr/lib/jvm/java-17-openjdk-17.0.8.0.7-2.el8.x86_64
> Using CLASSPATH:
> /usr/local/tomcat/bin/*:/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomc
> at/bin/tomcat-juli.jar
> Using CATALINA_OPTS: -XX:+UseG1GC -Xmx3000m invalid option: --add-
> opens=java.base/java.lang=ALL-UNNAMED
> 
> 
> Usage: jdb   
> 
> 
> where options include:
> 
> 
> There are several of the --add-opens statements that cause startup to fail in
> catalina.sh
> 
> 
> # Add the module start-up parameters required by Tomcat
> JAVA_OPTS="$JAVA_OPTS --add-opens=java.base/java.lang=ALL-
> UNNAMED"
> JAVA_OPTS="$JAVA_OPTS --add-opens=java.base/java.io=ALL-UNNAMED"
> JAVA_OPTS="$JAVA_OPTS --add-opens=java.base/java.util=ALL-
> UNNAMED"
> JAVA_OPTS="$JAVA_OPTS --add-opens=java.base/java.util.concurrent=ALL-
> UNNAMED"
> JAVA_OPTS="$JAVA_OPTS --add-opens=java.rmi/sun.rmi.transport=ALL-
> UNNAMED"
> 
> 
> 
> 
> Not sure what to do.
> 
> 
> -Chris
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Unable to get local issuer certificate

[Thomas Hoffmann (Speed4Trade GmbH)]

Helo Andy,

> -Ursprüngliche Nachricht-
> Von: Andy Pont 
> Gesendet: Montag, 18. September 2023 19:48
> An: Tomcat Users List 
> Betreff: Re: Unable to get local issuer certificate
> 
> Thomas wrote…
> 
> >This means, the calling program can't verify the certificate.
> >Check whether all the intermediates are delivered by tomcat.
> >Furthermore, the calling program must know the root-certificate of your
> webserver certificate.
> 
> If I look at a random website using 'openssl s_client -showcerts -connect’
> then I get the server certificate plus two others:
> 
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1
> depth=0 CN = xxx.mydomain.com
> 
> If I use the same command with the Tomcat servlet then it gives the
> following:
> 
> verify error:num=20:unable to get local issuer certificate verify return:1 
> verify
> error:num=21:unable to verify the first certificate verify return:1
> 
> The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go
> Daddy Root Certificate Authority - G2” according to the browser.
> 
> My guess is that the .pfx file that Tomcat is using doesn’t include them.
> 
> -Andy.
> 
> -

You can check the pfx file via:
keytool -list -v -storetype pkcs12 -keystore server.p12 

If the file doesn’t contain the intermediate certificates, you have to add them.
Don’t add the root certificate because the client has to have it anyway.

You might also consider using PEM files instead of pfx files. 
In my opinion they are easier to handle and you don’t need additional tools to 
modify them.

Greetings, Thomas

AW: Unable to get local issuer certificate

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Andy,

> -Ursprüngliche Nachricht-
> Von: Andy Pont 
> Gesendet: Montag, 18. September 2023 19:08
> An: users@tomcat.apache.org
> Betreff: Unable to get local issuer certificate
> 
> Hello,
> 
> I am receiving the above error when a GitLab webhook tries to call my
> servlet.  The full text of the error states:
> 
> SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable
> to get local issuer certificate).
> 
> If I try to access any of the servlets running in the same Tomcat server from 
> a
> web browser then the certificate is OK and the padlock icon appears as
> expected.  The certificate that is used by Tomcat is a domain wildcard
> certificate issued by Go-Daddy.
> 
> Any ideas on what isn’t being correctly sent in response to the GitLab
> webhook?
> 
> Thanks,
> 
> Andy.
> 
> -

This means, the calling program can't verify the certificate.
Check whether all the intermediates are delivered by tomcat.
Furthermore, the calling program must know the root-certificate of your 
webserver certificate.

Maybe you can post the certificate chain.
You might use openssl for this, or https://github.com/rbsec/sslscan for example.
Don’t use the browser because it doesn’t show what the server delivers.

Greetings,
Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

thanks for all your suggestions and input and also Chris for digging into the 
underlying reason.
As tomcat is running standalone I think I will leave it as it is.
Setting up a reverse proxy or containerization for this reason sounds like 
overdoing it in this case.

I will take it as a "cosmetic imperfection" and maybe ask also the 
burpsuite-team if this finding is justified.

I wish all a nice weekend!
Thomas

> -Ursprüngliche Nachricht-
> Von: Roberto Benedetti 
> Gesendet: Samstag, 16. September 2023 11:46
> An: Tomcat Users List 
> Betreff: R: HSTS on 401 / error pages
> 
> If you have a fronting reverse proxy/load balancer (HAProxy, NGINX,
> Apache) you can use them to set HSTS and let Tomcat set the other security
> headers.
> If your application is running in a container (Kubernetes, Openshift, OKD),
> they all have the option to add HSTS in Ingress/Route. Again, the other
> security options are left to Tomcat.
> 
> We had the same issue and that's how we passed the pen-test.
> 
> Roberto
> 
> -Messaggio originale-
> Da: Peter Kreuser 
> Inviato: venerdì 15 settembre 2023 21:34
> A: Tomcat Users List 
> Oggetto: Re: HSTS on 401 / error pages
> 
>   CAUTION - This e-mail originates outside of Dedalus. Be vigilant with
> content, links and attachments!
> 
> d) !!!
> 
> BTW: HSTS needs to be evaluated only once and then sticks in the browser!
> So unless the 401 is the first page ever, this change would not be really
> necessary.
> 
> Peter
> 
> > Am 15.09.2023 um 17:58 schrieb Thomas Hoffmann (Speed4Trade GmbH)
> :
> >
> > Hello Christ,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Christopher Schultz 
> >> Gesendet: Freitag, 15. September 2023 17:15
> >> An: users@tomcat.apache.org
> >> Betreff: Re: AW: HSTS on 401 / error pages
> >>
> >> Thomas,
> >>
> >>> On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>> Hello Chris,
> >>>
> >>>> -Ursprüngliche Nachricht-
> >>>> Von: Christopher Schultz 
> >>>> Gesendet: Donnerstag, 14. September 2023 15:26
> >>>> An: users@tomcat.apache.org
> >>>> Betreff: Re: HSTS on 401 / error pages
> >>>>
> >>>> Thomas,
> >>>>
> >>>> Please start a new thread next time.
> >>>
> >>> Sorry, I thought removing all content and subject is sufficient.
> >>> Maybe the message-id header is used internally(?)
> >>
> >> Absolutely. That's what "reply" does on a mailing list...
> >>
> >>>
> >>>> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>>>> Hello everyone,
> >>>>>
> >>>>> I would like to get your opinion about the
> >>>>> HttpHeaderSecurityFilter in
> >>>> Tomcat.
> >>>>> I configured HSTS in Tomcat and it works well.
> >>>>> When I do a pen-test with burpsuite it complains that HSTS header
> >>>>> is
> >>>> missing on 401 responses.
> >>>>> I couldn’t find much information about whether HSTS makes sense
> >>>>> for
> >>>> error pages.
> >>>>>
> >>>>> It seems that Tomcat doesn’t send HSTS on 401 pages but
> >>>>> burpsuite
> >>>> expects the header.
> >>>>> Are there any pros and cons about sending HSTS on 401 response?
> >>>>
> >>>> You should always return an HSTS header.
> >>>>
> >>>> How have you configured your HttpHeaderSecurityFilter? What is
> >>>> causing the
> >>>> 401 response? Which application is responding with that status?
> >>>>
> >>>> -chris
> >>>>
> >>>
> >>> Here are the requested details:
> >>>
> >>> SecurityFilter is set in the web.xml of the application:
> >>> 
> >>>httpHeaderSecurity
> >>> >> class>org.apache.catalina.filters.HttpHeaderSecurityFilter >> class>ass>
> >>>true
> >>>
> >>> hstsEnabled
> >>> true
> >>>
> >>> ...
> >>>
> >>> Further down in the web.xml is a constraint:
> >>>
> >>>  
> >>>  xxx
> >>>  /*
> >>>   

AW: AW: HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Christ,

> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Freitag, 15. September 2023 17:15
> An: users@tomcat.apache.org
> Betreff: Re: AW: HSTS on 401 / error pages
> 
> Thomas,
> 
> On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello Chris,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Christopher Schultz 
> >> Gesendet: Donnerstag, 14. September 2023 15:26
> >> An: users@tomcat.apache.org
> >> Betreff: Re: HSTS on 401 / error pages
> >>
> >> Thomas,
> >>
> >> Please start a new thread next time.
> >
> > Sorry, I thought removing all content and subject is sufficient. Maybe
> > the message-id header is used internally(?)
> 
> Absolutely. That's what "reply" does on a mailing list...
> 
> >
> >> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>> Hello everyone,
> >>>
> >>> I would like to get your opinion about the HttpHeaderSecurityFilter
> >>> in
> >> Tomcat.
> >>> I configured HSTS in Tomcat and it works well.
> >>> When I do a pen-test with burpsuite it complains that HSTS header is
> >> missing on 401 responses.
> >>> I couldn’t find much information about whether HSTS makes sense for
> >> error pages.
> >>>
> >>> It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite
> >> expects the header.
> >>> Are there any pros and cons about sending HSTS on 401 response?
> >>
> >> You should always return an HSTS header.
> >>
> >> How have you configured your HttpHeaderSecurityFilter? What is
> >> causing the
> >> 401 response? Which application is responding with that status?
> >>
> >> -chris
> >>
> >
> > Here are the requested details:
> >
> > SecurityFilter is set in the web.xml of the application:
> > 
> > httpHeaderSecurity
> >  class>org.apache.catalina.filters.HttpHeaderSecurityFilter
> > true
> > 
> >  hstsEnabled
> >  true
> > 
> > ...
> >
> > Further down in the web.xml is a constraint:
> > 
> >   
> >   xxx
> >   /*
> >   
> >
> >   
> >   yyy
> >   
> >
> >   
> >   CONFIDENTIAL
> >   
> >   
> >
> >
> > There is no frontend-server, tomcat is directly accessed from the browser.
> > It seems that burpsuite didn’t send authentication in the first place and 
> > this
> resulted in 401.
> >
> > If I use curl https:///  I get similar result:
> > < HTTP/1.1 401
> > < WWW-Authenticate: Negotiate
> > < Content-Type: text/html;charset=utf-8 < Content-Language: de <
> > Content-Length: 439 < Date: Thu, 14 Sep 2023 13:58:10 GMT
> >
> > When providing credentials to curl, the following headers are also included:
> > < Strict-Transport-Security: max-age=31536000;includeSubDomains
> > < X-Frame-Options: DENY
> > < X-Content-Type-Options: nosniff
> > < X-XSS-Protection: 1; mode=block
> >
> > I hope this information helps.
> 
> Authentication is checked before any filters run, because authentication is
> performed by a Valve, all of which run before any Filters run.
> 
> I'm not sure there is a way around this without
> 
> a. Using a fronting server of some kind
> b. Getting a change of some kind made to Tomcat c. Hacking this yourself
> 
> (b) is probably the best option, though I'm not sure what the best form of
> server-support for this would be.
> 
> Making HttpHeaderSecurity available in a Valve-packaging would do the trick,
> but maybe this makes sense to add at a more fundamental level to Tomcat.
> The problem is that HSTS is only one of many security-related headers and
> maybe it's potential lifetime isn't that long. My guess is that sometime in 
> the
> near future, TLS will simply be required for all web traffic. If we bake that
> kind of thing into core-Tomcat, it becomes something we will need to un-
> bake in the future, and chefs can tell you that un-baking things rarely works
> out well.
> 
> -chris
> 
> -

Thanks for your elaboration!
The security headers change from time to time, true.
Maybe it would be possible to provide a kind of "http-header-valve" which can 
be configured which headers to add?
Then you wouldn’t have a tight coupling and when headers change, you can adjust 
the configuration without changing code.
It would not be as comfortable as the HttpHeaderSecurityFilter but more 
flexible.

Option d) would be to ignore the reported finding of the pen-testing tool 

Greetings,
Thomas

AW: AW: HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Shawn,

> -Ursprüngliche Nachricht-
> Von: Shawn Heisey 
> Gesendet: Freitag, 15. September 2023 03:56
> An: Tomcat Users List 
> Betreff: Re: AW: HSTS on 401 / error pages
> 
> On 9/14/23 08:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Sorry, I thought removing all content and subject is sufficient. Maybe
> > the message-id header is used internally(?)
> 
> TL;DR: technical details about message threading.  Not about Tomcat.
> 
> This is what happens when you reply to an existing message for a new topic
> rather than starting a brand new message:
> 
> https://www.dropbox.com/scl/fi/6f6xqoj9ndznr1pwnluuk/bad-threading-
> tomcat-user.png?rlkey=q6385e4fqyd2ngp97qgj4bj3y=0
> 
> There are headers in the message that facilitate threading that you can't
> normally see.  These are the relevant headers in the message you replied to:
> 
> References: <9ebb0e5d-1794-92f6-9c9f-
> 47a235a4e...@touchtonecorp.com>
>   <057e2b5435244011898683f843170...@speed4trade.com>
>   <5f704d72-03ea-457c-8d44-792ecda97...@elyograg.org>
>   <80c5af8d-d267-581a-0877-687413cd6...@apache.org>
>   <4011ac44-d7b8-3fa1-5676-34cbd9207...@christopherschultz.net>
>   
> In-Reply-To:  802edd438...@touchtonecorp.com>
> Message-ID:
> 
>  .com>
> 
> And these are the relevant headers in your reply:
> 
> Message-ID: <62e04634351c4c62ae75848a77dac...@speed4trade.com>
> References: <9ebb0e5d-1794-92f6-9c9f-
> 47a235a4e...@touchtonecorp.com>
>   <057e2b5435244011898683f843170...@speed4trade.com>
>   <5f704d72-03ea-457c-8d44-792ecda97...@elyograg.org>
>   <80c5af8d-d267-581a-0877-687413cd6...@apache.org>
>   <4011ac44-d7b8-3fa1-5676-34cbd9207...@christopherschultz.net>
>   
> 
>  .com>
> In-Reply-To:
> 
>  .com>
> 
> While some mail clients will create threads on the message subject, these
> headers are the strictly correct way to show threads.  We also see messages
> where people send a reply to a thread by writing a new message with the
> same subject.  Clients that do threading properly will not show those
> messages as part of the thread.
> 
> Thanks,
> Shawn
> 
> 

Thanks for your explanation and I see that pressing "reply" causes issues.
I already assumed that the mail headers are related to this.
I will stick to "new message" in future!

Have a nice day!
Thomas

AW: HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Chris,

> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Donnerstag, 14. September 2023 15:26
> An: users@tomcat.apache.org
> Betreff: Re: HSTS on 401 / error pages
> 
> Thomas,
> 
> Please start a new thread next time.

Sorry, I thought removing all content and subject is sufficient. Maybe the 
message-id header is used internally(?)

> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello everyone,
> >
> > I would like to get your opinion about the HttpHeaderSecurityFilter in
> Tomcat.
> > I configured HSTS in Tomcat and it works well.
> > When I do a pen-test with burpsuite it complains that HSTS header is
> missing on 401 responses.
> > I couldn’t find much information about whether HSTS makes sense for
> error pages.
> >
> > It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite
> expects the header.
> > Are there any pros and cons about sending HSTS on 401 response?
> 
> You should always return an HSTS header.
> 
> How have you configured your HttpHeaderSecurityFilter? What is causing the
> 401 response? Which application is responding with that status?
> 
> -chris
> 

Here are the requested details:

SecurityFilter is set in the web.xml of the application:

   httpHeaderSecurity
   
org.apache.catalina.filters.HttpHeaderSecurityFilter
   true
   
hstsEnabled
true
   
...

Further down in the web.xml is a constraint:
   
 
 xxx
 /*
 

 
 yyy
 

 
 CONFIDENTIAL
 
 


There is no frontend-server, tomcat is directly accessed from the browser.
It seems that burpsuite didn’t send authentication in the first place and this 
resulted in 401.

If I use curl https:///  I get similar result:
< HTTP/1.1 401
< WWW-Authenticate: Negotiate
< Content-Type: text/html;charset=utf-8
< Content-Language: de
< Content-Length: 439
< Date: Thu, 14 Sep 2023 13:58:10 GMT

When providing credentials to curl, the following headers are also included:
< Strict-Transport-Security: max-age=31536000;includeSubDomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block

I hope this information helps.

Thanks in advance!
Thomas

HSTS on 401 / error pages

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello everyone,

I would like to get your opinion about the HttpHeaderSecurityFilter in Tomcat.
I configured HSTS in Tomcat and it works well.
When I do a pen-test with burpsuite it complains that HSTS header is missing on 
401 responses.
I couldn’t find much information about whether HSTS makes sense for error pages.

It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite expects the 
header.
Are there any pros and cons about sending HSTS on 401 response?

Thanks in advance!
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Shawn Heisey 
> Gesendet: Mittwoch, 13. September 2023 15:00
> An: users@tomcat.apache.org
> Betreff: Re: AW: Solution to "Invalid keystore format" (cross-posted to
> Tomcat Users List at Apache, and Java 400 List at Midrange)
> 
> On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > I moved away from using the proprietary java keystore format.
> > I switched to using Base64 PEM format. This is usually also the format you
> get from the certificate issuer.
> > No need to convert it into Java format any more and you can also open it
> with any text editor.
> 
> I have never been able to get a Java program to accept a certificate/key in
> PEM format.  The closest I've been able to come is creating a PKCS12 file with
> openssl.  Annoying because all the other software I use accepts PEM with no
> problem, and as you have said, PEM is the format generally produced by a
> CA.
> 
> How did you get it to take a PEM cert?
> 
> Thanks,
> Shawn
> 

If you want to use it for SSL / https, my server.xml snippet looks like:







Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Thomas Hoffmann (Speed4Trade GmbH)]

Hallo James,

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Montag, 11. September 2023 18:31
> An: Java 400 List ; Tomcat Users List
> 
> Betreff: Solution to "Invalid keystore format" (cross-posted to Tomcat Users
> List at Apache, and Java 400 List at Midrange)
> 
> Ladies and Gentlemen of Both Lists:
> 
> Last Friday evening, I ran into a problem updating SSL/TLS keystores on two
> customer boxes, and spent three hours yesterday, finding the cause, doping
> out a way to salvage the certs they'd paid for, and doping out a solution to
> keep it from happening in the future.
> 
> It seems that with the new keystores (generated on my Mac, initially created
> with Keytool, and then maintained with Keystore Explorer), they were
> getting:
> 
>  >   Throwable occurred: java.io.IOException: Invalid keystore format
> >   at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
> >   at java.security.KeyStore.load(KeyStore.java:414)
> 
> I put them back on their old keystores, and cycled Tomcat again, to get them
> back up, and then spent three hours working the problem yesterday
> (Sunday) afternoon.
> 
> It turns out that the default keytool on my new Mac is the one from Java 17.
> And the customer boxes are running Tomcat under much older JVMs,
> because there's always a significant time lag before any given JVM makes it
> to an IBM Midrange box.
> 
> So I was able to salvage one of the certs (and its CA reply, and its
> chain) by moving the cert to a keystore generated on my *old* Mac (with
> Java 8 as the default JVM), and then re-signing and re-chaining it in KSE. 
> And I
> tested the KS on our V6 box, to make *sure* it worked.
> 
> I then looked for a way, since my new Mac *has* a Java 8 JVM (it's just not
> the default), to conveniently use that JVM's Keytool, and came up with a
> wrapper BASH script to do the job. I tested the wrapper script by using it to
> generate their new keystore.
> 
> Key takeaway (no pun intended) here: if you get an "Invalid keystore
> format" in Tomcat (or presumably anything else that uses Java Keystores),
> when generating a keystore on one box for use on another, *look for a
> difference in JVM.*
> 
> --
> JHHL
> 

I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the format you get 
from the certificate issuer.
No need to convert it into Java format any more and you can also open it with 
any text editor.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: page extends not working???

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Aryeh Friedman 
> Gesendet: Samstag, 9. September 2023 12:57
> An: Tomcat Users List 
> Betreff: Re: page extends not working???
> 
> Oops forgot to include the full log see below replaced inline
> 
> On Sat, Sep 9, 2023 at 6:52 AM Aryeh Friedman
>  wrote:
> >
> > Every other jsp in my webapp (and other webapps on the same tomcat
> > instance [9.0.75]) works and I am using a the default container but as
> > curl/catalina.out show BasePage is *NEVER* being called (either the
> > _jspService() or the getX()):
> >
> 
> src/java/dashboard/web/pages/BasePage.java
> package dashboard.web.pages;
> 
> import java.io.IOException;
> 
> import javax.servlet.ServletException;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
> import javax.servlet.jsp.HttpJspPage;
> 
> import org.apache.jasper.runtime.HttpJspBase;
> 
> public class BasePage extends HttpJspBase {
> @Override
> public void _jspService(HttpServletRequest req,HttpServletResponse res)
> throws IOException,ServletException
> {
> System.out.println("Hello, world");// where does this go
> cataline.out?
> }
> 
> public int getX()
> {
> System.out.println("Hello, to the the framework from hell");
> return 123234;
> }
> 
> public static final long serialVersionUID=0L; } tlaitc-dashboard-
> 1a1.C017@sarek1024% !cu curl http://sarek1024:8080/tlaitc-dashboard-1a1/
> 
> 
> hi x is
> tlaitc-dashboard-1a1.C017@sarek1024% sudo tail -10 /usr/local/apache-
> tomcat-9.0/logs/catalina.out
> 09-Sep-2023 06:29:58.770 INFO [Catalina-utility-2]
> org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
> for TLDs yet contained no TLDs. Enable debug logging for this logger for a
> complete list of JARs that were scanned but no TLDs were found in them.
> Skipping unneeded JARs during scanning can improve startup time and JSP
> compilation time.
> 09-Sep-2023 06:29:58.771 INFO [Catalina-utility-2]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/usr/local/apache-tomcat-9.0/webapps/tlaitc-
> dashboard-1a1.war] has finished in [69] ms
> 09-Sep-2023 06:38:58.992 INFO [Catalina-utility-2]
> org.apache.catalina.startup.HostConfig.undeploy Undeploying context
> [/tlaitc-dashboard-1a1]
> 09-Sep-2023 06:38:58.995 INFO [Catalina-utility-2]
> org.apache.catalina.startup.HostConfig.deployWAR Deploying web
> application archive [/usr/local/apache-tomcat-9.0/webapps/tlaitc-
> dashboard-1a1.war]
> 09-Sep-2023 06:38:59.081 INFO [Catalina-utility-2]
> org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
> for TLDs yet contained no TLDs. Enable debug logging for this logger for a
> complete list of JARs that were scanned but no TLDs were found in them.
> Skipping unneeded JARs during scanning can improve startup time and JSP
> compilation time.
> 09-Sep-2023 06:38:59.082 INFO [Catalina-utility-2]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/usr/local/apache-tomcat-9.0/webapps/tlaitc-
> dashboard-1a1.war] has finished in [87] ms
> 09-Sep-2023 06:43:59.239 INFO [Catalina-utility-1]
> org.apache.catalina.startup.HostConfig.undeploy Undeploying context
> [/tlaitc-dashboard-1a1]
> 09-Sep-2023 06:43:59.245 INFO [Catalina-utility-1]
> org.apache.catalina.startup.HostConfig.deployWAR Deploying web
> application archive [/usr/local/apache-tomcat-9.0/webapps/tlaitc-
> dashboard-1a1.war]
> 09-Sep-2023 06:43:59.331 INFO [Catalina-utility-1]
> org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
> for TLDs yet contained no TLDs. Enable debug logging for this logger for a
> complete list of JARs that were scanned but no TLDs were found in them.
> Skipping unneeded JARs during scanning can improve startup time and JSP
> compilation time.
> 09-Sep-2023 06:43:59.332 INFO [Catalina-utility-1]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/usr/local/apache-tomcat-9.0/webapps/tlaitc-
> dashboard-1a1.war] has finished in [87] ms tlaitc-dashboard-
> 1a1.C017@sarek1024% cat src/www/WEB-INF/web.xml
> 
>  
> 
> spelling
> 
> dashboard.web.servlet.SpellingServlet
> 
> 
> 
> spelling
> /servlet/spelling
> 
> 
> 
> 
> 
> --
> Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
> 

I am not quite sure what you want to achieve. Why should the BasePage-Class be 
called?
The web.xml shows the class SpellingServlet and the source is from BasePage(?)
Second, why do you derive from the class HttpJspBase and not using the 
HttpServlet-Class?

curl http://localhost://servlet/spelling
should run the SpellingServlet

Maybe you can give some more information about that.

Greetings,
Thomas

AW: where does JSTL set thsi cookie? javax.servlet.jsp.jstl.fmt.request.charset

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Ivano Luberti 
> Gesendet: Freitag, 25. August 2023 16:50
> An: users@tomcat.apache.org
> Betreff: OT: where does JSTL set thsi cookie?
> javax.servlet.jsp.jstl.fmt.request.charset
> 
> Hi, I understand that this question can be OT but I don't know where to
> search for.
> 
> Looking into tomcat manager sessions I see this cookie set in each session
> 
> 
>      javax.servlet.jsp.jstl.fmt.request.charset     ISO-8859-1
> 
> 
> The value ISO-8859-1 i set even though the file encoding of the java launch
> option is set to UTF-8
> 
> There is someone who knows how JSTL decides the value of the cookie?
> 
> Or can you point me to some useful resource?
> 

Tomcat can use different cookie processors:


Maybe you can take a look at the different classes.
Traditional cookie names are 8859-1 encoded.

Greetings, Thomas

AW: Tomcat 9.0.x on Windows crashing

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Daniel,

> -Ursprüngliche Nachricht-
> Von: Daniel Savard 
> Gesendet: Mittwoch, 23. August 2023 19:03
> An: users@tomcat.apache.org
> Betreff: Tomcat 9.0.x on Windows crashing
> 
> Hi everyone,
> 
> I didn't specify the actual Tomcat version because the problem occurs under
> all versions. We are running a commercial web application and all of sudden
> after a while Tomcat is crashing without issuing any message. It is very 
> likely
> due to the application. But the vendor was of no help to solve this problem
> which has existed for a long time. I suspect something like insufficient
> memory allocated to the VM or something like that. Is there anything I can
> do to gather more information on the root cause of this issue?
> 
> Tomcat is running as a service and is restarted automatically if it crashes.
> Again, the problem is very unlikely to be with Tomcat itself, but the tuning 
> of
> the VM.
> 
> -
> Daniel Savard

You can also watch out for a file named hs_err_pid 
If the JVM is crashing hard, it usually produces this file somewhere in the 
Tomcat folder.

Greetings,
Thomas

AW: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Bhavesh Mistry 
> Gesendet: Sonntag, 20. August 2023 04:09
> An: Tomcat Users List 
> Betreff: Re: Tomcat 9 Connector config allowHostHeaderMismatch not
> working as expected
> 
> Hi Mark,
> 
> Thanks for your quick reply.   According to the spec, the Request line
> three line: http method path and version.  Basically, what I wanted to do to 
> is
> if the HOST header does not match the requested server name in the URL
> then return 404 04 403.
> 
> Can you please help me how I can do this?  From raw request, there is NO
> way to know what the user requested URL is and the HOST name as tomcat
> reconstructed that from the HOST header.
> 
> When using the following:
> 
> curl - -k "https://10.40.43.26/login?sessionExpire=true; -H   'Host:
> attacker.com'

The IP-Address will never be sent to the server. This is only used on TCP-Level 
to send the packet to the target.
The host-name is only transmitted via the HTTP-Header (-H Host:xxx).
Even if you use a domain name instead of an IP-address, this name will only be 
used to lookup the IP-address via DNS.
The TCP packet is then sent to the resolved IP-address.



> 
> request.getServerName() = attacker.com
> 
> request.getHeader("Host") = attacker.com
> 
> request.getURL() :  https://attacker.com/login?sessionExpire=true
> 
> There is no way for the server to know that the HOST header does not match
> the URL hostname name.  So the only way to stop this is to have a pre-
> determined list of hostnames and check against it.  Do you have any
> recommendations how to detect host header mismatch from application
> logic ?
> 
> Only thing I found is this to have list trusted host and compare host header
> against it:
> https://github.com/spring-projects/spring-
> security/blob/main/web/src/main/java/org/springframework/security/web/
> firewall/StrictHttpFirewall.java#L549
> 
> 
> 
> 
> 
> 
> 
> On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas  wrote:
> 
> >
> > 19 Aug 2023 19:46:56 Bhavesh Mistry :
> >
> > > Hi, Tomcat Dev team and Users,
> > >
> > >
> > > I am trying to block the request and give 404 bad requests or 403
> > > when the HOST header does not match the requested server name.  My
> > > goal is to block whenever there is a mismatch in the host header and
> > > URL server name.
> > >
> > > I would appreciate your help.
> >
> > Look at the request. Despite the curl command using an IP address, the
> > actual request does not contain a host in the request line hence there
> > is no mismatch.
> >
> > Mark
> >
> >
> > >
> > > curl - -k "https://*10.40.43.26*/login?sessionExpire=true; -H
> > > '*Host:
> > > text.com *'
> > > * Using Stream ID: 1 (easy handle 0x7f8316012800)
> > >> GET /login?sessionExpire=true HTTP/2
> > > *> Host: text.com *
> > >> User-Agent: curl/8.1.2
> > >> Accept: */*
> > >
> > > Response:
> > >
> > > * HTTP/2 200 *
> > > < cache-control: no-cache, no-store, must-revalidate < expect-ct:
> > > enforce, max-age=30, report-uri='
> > > https://report-uri.com/account/'
> > > < pragma: no-cache
> > > < expires: Thu, 01 Jan 1970 00:00:00 GMT < set-cookie:
> > >
> > >
> >
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;S
> ecu
> > re;HttpOnly;
> > > SameSite=strict
> > > < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> > > preload < x-xss-protection: 1; mode=block < x-frame-options: DENY <
> > > x-content-type-options: nosniff < referrer-policy:
> > > strict-origin-when-cross-origin < content-type:
> > > text/html;charset=UTF-8 < content-length: 4084 < date: Sat, 19 Aug
> > > 2023 19:02:11 GMT
> > >
> > > Here is my connector config:
> > >
> > >  > >connectionTimeout="2"
> > >redirectPort="443" scheme="https" secure="true"
> > > server="Versa Director"
> > >address="${tomcat.address}"  maxPostSize="-1"
> > > *allowHostHeaderMismatch="false"* />
> > >
> > >
> > >  > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >relaxedPathChars="[\\]^`{|}"
> > > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> > > *
> > >address="${tomcat.address}" minSpareThreads="100"
> > > maxThreads="200" SSLEnabled="true"
> > >scheme="https" secure="true" maxSwallowSize="-1"
> > > maxPostSize="-1">
> > >
> > > Thanks,
> > >
> > > Bhavesh
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >

AW: Java Connector help needed

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Charlie,

> -Ursprüngliche Nachricht-
> Von: Charlie DiDonato 
> Gesendet: Sonntag, 13. August 2023 18:08
> An: users@tomcat.apache.org
> Betreff: Java Connector help needed
> 
> Hi All,
> I am migrating from tomcat 8.5x to 9.0.78
> 
> Below is my server .xml
> 
> I don't have Apache webserver fronting this yet on my local machine
> (Windows 10).
> 
> It is a Java app.
> 
> 
> 
> Here is the part that I feel is relevant, but the full config is listed below 
> that.-
> 
> I order to see that tomcat is working without Apache WS, do I need to also
> create an HTTP1.1 connector in addition to AJP connector?

The browser only speaks HTTP protocol. So yes, if you want to bypass Apache 
Frontend-server you need an http connector on tomcat side.

> 
> And what should happen when I define a redirectPort ?

The redirect Port is only used, when Tomcat needs to redirect HTTP to HTTPS.
If you only use HTTP or only HTTPS, this attribute is not used.

> And finally, how do I access tomcat URL to hit tomcat and bypass Apache WS?

This depends on your infrastructure. You can use a separate http(s) port. E.g. 
80/443 is used by Apache and 8080 is used by Tomcat.
Then you can used http://:8080/ to access Tomcat directly. Of 
course, firewall etc. must allow this traffic.
 
> Thanks
> 
> Charlie DiDonato
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  
>address="192.168.0.28"
> 
>port="8009"
> 
>redirectPort="8020"
> 
>secretRequired="false"
> 
>maxParameterCount="1000"
> 
>/>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>/>
> 
>   
> 
>   
> 
>SSLEngine="on" />
> 
>   
> 
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
> />
> 
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> />
> 
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> />
> 
> 
> 
>   
> 
>   
> 
> 
> 
>  
>   type="org.apache.catalina.UserDatabase"
> 
>   description="User database that can be updated and saved"
> 
>   factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> 
>   pathname="conf/tomcat-users.xml" />
> 
>   
> 
> 
> 
>   
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  
>address="192.168.0.28"
> 
>port="8009"
> 
>redirectPort="8020"
> 
>secretRequired="false"
> 
>maxParameterCount="1000"
> 
>/>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
>   
> 
>   
> 
> 
> 
>  
>resourceName="UserDatabase"/>
> 
>   
> 
> 
> 
>
> unpackWARs="true" autoDeploy="true">
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  directory="logs"
> 
>prefix="localhost_access_log" suffix=".txt"
> 
>pattern="%h %l %u %t %r %s %b" />
> 
> 
> 
>   
> 
> 
> 
>   
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Bradle,

> -Ursprüngliche Nachricht-
> Von: Brandie Nickey-External 
> Gesendet: Donnerstag, 10. August 2023 18:20
> An: Tomcat Users List 
> Betreff: RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs 
> server.xml
> options
> 
> Hi all,
> 
> Spying on this thread and have a little confusion.  For me tomcat is running 
> on a
> windows server and I wasn't able to find a Catalina.sh.   I do have a 
> Catalina.bat
> thoughdoes anyone know if this is supposed to be the equivalent to the .sh
> file , just for Windows?
> 
> Thanks,
> Brandie

In general, yes. Just replace .sh with .bat on windows and you are good to go.


> 
> Regeneron - Internal Use Only
> 
> -Original Message-
> From: SCHWING, CHUCK 
> Sent: Thursday, August 10, 2023 4:59 AM
> To: Tomcat Users List 
> Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options 
> vs
> server.xml options
> 
> EXTERNAL MESSAGE
> 
> _
> 
> 
> 
> 
>  EXTERNAL MESSAGE
> 
> 
> 
> 
> Chris --
> 
> Many thanks for the clarification.  I missed the "client" in the
> jdk.tls.client.protocols jvm arg.
> 
> Regards,
> --ccs
> 
> -Original Message-
> From: Christopher Schultz 
> Sent: Thursday, August 10, 2023 2:04 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs 
> server.xml
> options
> 
> Chuck,
> 
> On 8/9/23 13:58, SCHWING, CHUCK wrote:
> > I've looked for the answer to this online and maybe I didn't read closely
> enough.
> > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option
> of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same
> TLS version is defined in my server.xml in my SSLHostConfig:
> > sslProtocol="TLS"
> >  protocols="TLSv1.2"
> >
> > My question is:  What's the precedence in play?  Does catalina.sh override
> server.xml or is it the other way around?
> >
> > We need to migrate to TLS1.3 and we're wondering how best to configure
> Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
> 
> The system property you have shown above does not affect the behavior of
> Tomcat at all. This system property affects Java's built-in TLS *client* when
> making /outgoing/ connections.
> 
> If you specify "TLSv1.2" and no other protocols, then you will not enable
> TLSv1.3. You should specify:
> 
>protocols="TLSv1.3, TLSv1.2"
> 
> in your  in order to enable TLSv1.3 and also accept TLSv1.2.
> Note that for TLSv1.3 there are other requirements, specifically a JVM with
> support if using JSSE or an OpenSSL implementation with support if using
> OpenSSL.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> This e-mail and any attachment hereto, is intended only for use by the
> addressee(s) named above and may contain legally privileged and/or
> confidential information. If you are not the intended recipient of this 
> e-mail,
> any dissemination, distribution or copying of this email, or any attachment
> hereto, is strictly prohibited. If you receive this email in error please
> immediately notify me by return electronic mail and permanently delete this
> email and any attachment hereto, any copy of this e-mail and of any such
> attachment, and any printout thereof. Finally, please note that only 
> authorized
> representatives of Regeneron Pharmaceuticals, Inc. have the power and
> authority to enter into business dealings with any third party.
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Update javax libs to Jakarta libs in Apache Taglibs.

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Bharath,

> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Mittwoch, 12. Juli 2023 21:51
> An: Tomcat Users List ; CHILUKA BHARATH
> 
> Betreff: Re: Update javax libs to Jakarta libs in Apache Taglibs.
> 
> Bharath,
> 
> On 7/12/23 05:08, CHILUKA BHARATH wrote:
> > The latest Apache Taglibs(
> > https://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5) jar
> > classes using javax.servlet.* packages.
> >
> > Do we have any information w.r.t supporting Jakarta when using this
> > specific jar ?
> >
> > If not, is there any plan to release new jars by migrating javax
> > references to jakarta in Apache Taglibs ?.
> 
> This is a very good question.
> 
>  From what I can tell, the latest release of taglibs (1.2.5) was released 
> back in
> 2015.
> 
> The first question I would have about this is: Does anybody still care about
> Tomcat STL? Obviously, _you_ care, but is this a project that has simply
> matured to the point that it no longer needs updates, or has it been
> abandoned? Olivier did some work back in 2020 -- including a migration from
> javax.* to jakarta.* -- but there hasn't been any meaningful activity since
> then.
> 
> Bharath, are you able to check-out the "main" branch and build it, and does it
> work for you? We could simply release what we have currently as a beta and
> get community feedback. The only question is "what community?" We rarely
> get questions on the list and I'm not sure how many potential users there
> are.
> 
> Is there a TCK for JSTL? I don't use JSP for any meaningful project myself, 
> and
> setting-up test-cases to even validate that the basics are working properly
> will be time-consuming.
> 
> -chris
> 

This package uses jakarta:
https://mvnrepository.com/artifact/jakarta.servlet.jsp.jstl/jakarta.servlet.jsp.jstl-api
The implementation is for example:
https://mvnrepository.com/artifact/org.glassfish.web/jakarta.servlet.jsp.jstl

Greetings,
Thomas

AW: Tomcat 9.0.76 Memory leak with Java 17

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Mittwoch, 12. Juli 2023 21:34
> An: users@tomcat.apache.org
> Betreff: Re: Tomcat 9.0.76 Memory leak with Java 17
> 
> Michael,
> 
> On 7/12/23 07:33, Michael Osipov wrote:
> > On 2023/07/11 18:16:24 Christopher Schultz wrote:
> >> You should report all of the previous issues to Oracle against their
> >> ORDS version 22.1 and ask them to fix them. It's why you write those
> >> big, fat checks in the first place ;)
> >
> > This doesn't really matter. I have reported a memory leak in OJDBC
> > many years ago where a background thread pins the WebappClassLoader.
> > Answer from Oracle: This happens only once, does not repeat. We won't
> > address that...
> Fair enough, but that doesn't mean it's not worth reporting.
> 
> BTW the fine folks at Sun/Oracle and Connector/J are similarly confused
> when it comes to ClassLoader pinning in /their/ JDBC driver. I think they had 
> a
> few different patches that all waved their hands _still_ failing to actually
> understand and fix the problem.
> 
> -chris
> 

It's not just Oracle JDBC driver.
Same can happen with SQL-Server JDBC driver when you use Kerberos Auth. 
Ticket was also closed without a fix.

AW: Tomcat Deployment scripts

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alan,

> -Ursprüngliche Nachricht-
> Von: Alan F 
> Gesendet: Freitag, 30. Juni 2023 12:35
> An: Tomcat Users List 
> Betreff: RE: Tomcat Deployment scripts
> 
> This is great thankyou Thomas. Just wondering how secure this is, prefer to
> be able to deploy with a non 'admin' account does this support a deploy only
> profile there?
> 

As far as I know, there are only the default roles, described here:
https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html

What you can do for security:
- Create strong password
- Use SSL / https
- Harden SSL (>= TLS 1.2, ciphers etc.)
- Restrict IP-Access if possible (via Firewall or Valve)
- You can also restrict accessible URLs via web.xml


> 
> -----Original Message-----
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: 29 June 2023 09:08
> To: Tomcat Users List 
> Subject: AW: Tomcat Deployment scripts
> 
> Hello Alan,
> 
> > Von: Alan F 
> > Gesendet: Mittwoch, 28. Juni 2023 18:24
> > An: users@tomcat.apache.org
> > Betreff: Tomcat Deployment scripts
> >
> > Anyone have an example deployment script or method used to deploy a
> simple war and context root, also with rollback preferably.
> >
> > Thanks
> 
> you could use tomcat-manager.
> A war file can be deployed using curl for example:
> https://stackoverflow.com/questions/4432684/tomcat-manager-remote-
> deploy-script
> 
> Greetings, Thomas
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Tomcat Deployment scripts

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alan,

> Von: Alan F  
> Gesendet: Mittwoch, 28. Juni 2023 18:24
> An: users@tomcat.apache.org
> Betreff: Tomcat Deployment scripts
>
> Anyone have an example deployment script or method used to deploy a simple 
> war and context root, also with rollback preferably. 
>
> Thanks

you could use tomcat-manager.
A war file can be deployed using curl for example:
https://stackoverflow.com/questions/4432684/tomcat-manager-remote-deploy-script

Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Words of Wisdom re: Context Versioning - Parallel Deployment

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Dan,

> -Ursprüngliche Nachricht-
> Von: Dan McLaughlin 
> Gesendet: Freitag, 16. Juni 2023 18:54
> An: Tomcat Users List 
> Betreff: Words of Wisdom re: Context Versioning - Parallel Deployment
> 
> Does anyone have any advice on implementing Context Versioning (parallel
> deployment) in Tomcat? It seems to have been a feature for quite some
> time.
> Is it stable?   What are the typical issues people run into? JMX issues?
> Classloader issues?
> 
> I've tried to do a parallel deployment with our applications as they exist
> today, and I can already see a few problems we'd have to address.
> 
> 1) We have a concept of a workdir where we will extract configuration-
> related properties files, XML, etc... on initial start-up; the workdir also
> contains working files related to things like XA transaction logs and
> application-specific logging. We'd probably need to append the context
> version to our workdir path so that each version can have separate
> application logs, configuration settings, etc...
> 
> 2) We use JMX MBeans throughout our apps to allow real-time configuration
> of our applications. Since our apps weren't originally developed with parallel
> deployment in mind, so a parallel deployment results in two app versions
> trying to use the same JMX MBeans. I can see in our app logs when I try to
> deploy two versions, the second version will either throw an exception and
> fail to start because the MBean exists, or it will try to destroy and recreate
> the MBean--which could cause issues if it changes a setting that the first
> version of the app depended on. I assume we will need to fix all our code to
> somehow version the MBeans so there aren't conflicts.
> 
> 3) Do third-party dependencies that use JMX pose any issues? We use jgroups
> and log4j2. Both create their own mbeans, but it seems we have control over
> the names they use.
> 
> Do you know if there are any other issues we need to consider? Words of
> wisdom?
> 
> Thanks!
> 
> Dan
> 

Just some thoughts / ideas from my side:
a) If you use any scheduler (e.g. quartz) you must use a DB based 
synchronization / clustering
b) When using caches, they must be synchronized between the two apps
c) Some frameworks have built-in caches which must be taken into account (e.g. 
eclipse link)
d) Any shared resources should be checked whether parallel access might cause 
problems
e) Opening listening ports might conflict

I would like to try this feature in future. The above mentioned are some 
thoughts I made up to now.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Tomcat 9 data source configuration error

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Jenny,

yes, endorsed was deprecated and removed from java 11 onwards:
https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-8E83E51A-88A3-4E9A-8E2A-66E1D66A966C

Greetings, Thoma

> -Ursprüngliche Nachricht-
> Von: Ying Jin 
> Gesendet: Mittwoch, 14. Juni 2023 17:11
> An: Tomcat Users List 
> Betreff: Re: Tomcat 9 data source configuration error
> 
> I think I found solution of this problem. It seems that this is a bug of older
> version of eclipse WTP.
> 
> I removed the endorsed directory argument from the debug configuration
> and it works now.
> 
> Thanks,
> Jenny
> 
> On Wed, Jun 14, 2023 at 9:43 AM Ying Jin  wrote:
> 
> > The tomcat server can’t be started in Eclipse due to following error
> > when JDK 11 is used:
> >
> > -Djava.endorsed.dirs=C:\ApacheTomcat
> > 9.0.75\apache-tomcat-9.0.75\endorsed
> > is not supported. Endorsed standards and standalone APIs
> >
> > in modular form will be supported via the concept of upgradeable modules.
> >
> >
> > Thanks,
> >
> > Jenny
> >
> > On Wed, Jun 14, 2023 at 3:28 AM Mark Thomas 
> wrote:
> >
> >> On 14/06/2023 00:20, Ying Jin wrote:
> >> > Mark,
> >> >
> >> > Thanks for the tip. I've resolved this error by using the way you
> >> > suggested along with the newer version of jdbc driver ojdbc8.jar
> >> > and modified the connection url in the right format.
> >> >
> >> > However, I encountered another problem trying to run the
> >> > application in Eclipse with JDK 11. Please see below for the error
> message.
> >> > I didn't have any problem running the application with JDK 8.
> >> > Any suggestions?
> >>
> >> None, since we can't see the error message.
> >>
> >> Embedded images don't work. Please paste the full stack trace and/or
> >> post it online somewhere we can read it.
> >>
> >> Mark
> >>
> >>
> >> > image.png
> >> >
> >> > Many thanks!
> >> > Jenny
> >> >
> >> >
> >> > On Mon, Jun 12, 2023 at 11:21 AM Mark Thomas  >> > > wrote:
> >> >
> >> > On 12/06/2023 16:52, Ying Jin wrote:
> >> >  > BTW, the ojdbc6_g.jar has been put in the Tomcat9.0.75/lib
> >> folder as
> >> >  > well as in the project's WEB-INF/lib folder.
> >> >
> >> > Don't do that. Put it *only* in $CATALINA_BASE/lib
> >> >
> >> >
> >> >  > On Mon, Jun 12, 2023 at 10:41 AM Ying Jin  >> > 
> >> >  > >>
> wrote:
> >> >  >
> >> >  > Mark,
> >> >  >
> >> >  > Thanks for your reply! Please see below for the details.
> >> BTW, I
> >> >  > removed the database connection info. for security reasons.
> >> > The same
> >> >  > data source configuration and jdbc driver "ojdbc6_g" works
> >> in the
> >> >  > Weblogic 14 server.
> >> >  >
> >> >  > web.xml:
> >> >  >
> >> >  >   project datasource
> >> >  >   jdbc/ariesDS
> >> >  >   javax.sql.DataSource
> >> >  >   Container
> >> >  >
> >> >  > Tomcat 9.0.75 conf/context.xml:
> >> >
> >> > Putting it there means you have created one instance of the resource
> >> > for
> >> > each deployed web application. You probably want to put it in:
> >> >
> >> >
> >> > $CATALINA_BASE/conf/// name>.xml
> >> >
> >> > But maybe wait until you have it working before fixing that.
> >> >
> >> >  >>> >  > driverClassName="oracle.jdbc.OracleDriver" maxIdle="10"
> >> >  > maxTotal="20" maxWaitMillis="-1" name="jdbc/ariesDS"
> >> > password="PW"
> >> >  > type="javax.sql.DataSource"
> >> >  > url="jdbc:oracle:thin@hostname:portNumber/servic name"
> >> >  > username="userName"/>
> >> >  >
> >> >  > Datasource lookup code:
> >> >  >
> >> >  > Context initContext = new InitialContext();
> >> >  >  Context envContext  =
> >> >  > (Context)initContext.lookup("java:/comp/env");
> >> >  >  DataSource ods =
> >> > (DataSource)envContext.lookup("jdbc/ariesDS");
> >> >  > if (ods==null)
> >> >  >  {
> >> >  > System.out.println("ods = (OracleDataSource)
> >> >  > envCtx.lookup('jdbc/ariesDS') is null");
> >> >  > throw new Exception ("the data souce is null, error
> >> > throwed.");
> >> >  >  }else{
> >> >  > conn = ods.getConnection();
> >> >  >  }
> >> >  >
> >> >  > The database version is Oracle 19C and I found out the Oracle
> >> > jdbc
> >> >  > driver should be ojdbc8.jar. If using this version of jar
> >> > file, any
> >> >  > code changes need to be done for the data source lookup code?
> >> >
> >> > No. The lookup code should be fine.
> >> >
> >> >  > The complete stacktrace:
> >> >  > image.png
> >> >
> >> > Embedded images don't work. Please paste the full stack trace and/or
> >> > 

AW: AW: Crypto Randomly Not Getting Initialized

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Jerry,


> -Ursprüngliche Nachricht-
> Von: Jerry Malcolm 
> Gesendet: Dienstag, 13. Juni 2023 17:35
> An: users@tomcat.apache.org
> Betreff: Re: AW: Crypto Randomly Not Getting Initialized
> 
> Hi Thomas,
> 
> On 6/13/2023 2:08 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello Jerry,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Jerry Malcolm 
> >> Gesendet: Dienstag, 13. Juni 2023 08:50
> >> An: users@tomcat.apache.org
> >> Betreff: Crypto Randomly Not Getting Initialized
> >>
> >> I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
> >> Linux2 in a production environment.  A couple of years ago, we
> >> started getting weird errors that the "Crypto Mechanism" failed to
> >> initialize. Through a lot of trial and error, and reasons I don't
> >> quite remember, we put a 2-min delay in rc.local before starting
> >> Tomcat, and the problem went away.  I'm not a Linux nor a crypto
> >> guru.  But we traced it to some crypto file that we assumed was not
> >> available until later in the Linux boot sequence.  Anyway, the 2
> >> minute delay made it go away, for over two years.  Then all of a
> >> sudden in the last day or so, it's back with a vengeance.  It fails
> >> with the same crypto error from 2 years ago in about 50% of the EC2 boot
> ups.  I tried bumping the wait to 3 min, and no change.
> >>
> >> I need help.  Our whole production environment is unstable now since
> >> every time an ASG brings a new instance online, I've got a 50-50
> >> chance that tomcat is going to die (and the health check doesn't
> >> catch it, but that's a different issue).
> >>
> >> There are no errors in the Tomcat boot sequence logs.  But the first
> >> time and every subsequent time I try to get a connection from the
> >> DataSource pool, I get the stack dump shown below.
> >>
> >> I figure it has to be a timing/race condition.  But I have no clue
> >> what to do to fix it.  I'm baffled that it worked for two years, and
> >> now fails every other time I start an instance.  And every instance
> >> is running copies of the exact same Amazon Machine Image.  The same
> >> EC2 will come up clean 50% of the time the next time it boots.
> >>
> >> Can somebody with Tomcat/Crypto/Linux knowledge unravel what's
> going
> >> on here?  Thx
> >>
> >> java.lang.ExceptionInInitializerError
> >>       at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
> >>       at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
> >>       at
> >> java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCip
> >> her.jav
> >> a:509)
> >>       at 
> >> java.base/sun.security.ssl.SSLCipher.(SSLCipher.java:498)
> >>       at 
> >> java.base/sun.security.ssl.SSLCipher.(SSLCipher.java:81)
> >>       at
> >> java.base/sun.security.ssl.CipherSuite.(CipherSuite.java:65)
> >>       at
> >> java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCiphe
> >> rSuit
> >> es(SSLContextImpl.java:348)
> >>       at
> >> java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.
> >> (SSLC
> >> ontextImpl.java:580)
> >>       at java.base/java.lang.Class.forName0(Native Method)
> >>       at java.base/java.lang.Class.forName(Class.java:315)
> >> ...
> >>
> >>       at
> >>
> com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:
> >> 948)
> >>       at
> >>
> com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
> >>       at
> com.mysql.cj.jdbc.ConnectionImpl.(ConnectionImpl.java:448)
> >>       at
> >> com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
> >>       at
> >>
> com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:
> >> 198)
> >>       at
> >>
> org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection
> >> (
> >> DriverConnectionFactory.java:52)
> >>       at
> >>
> org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(Po
> >> olableConnectionFactory.java:415)
> >>       at
> >>
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactor
> >> y
> >> (BasicDataSourc

AW: Crypto Randomly Not Getting Initialized

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Jerry,

> -Ursprüngliche Nachricht-
> Von: Jerry Malcolm 
> Gesendet: Dienstag, 13. Juni 2023 08:50
> An: users@tomcat.apache.org
> Betreff: Crypto Randomly Not Getting Initialized
> 
> I am running Tomcat 9.0.56 in multiple AWS EC2 instances with Amazon
> Linux2 in a production environment.  A couple of years ago, we started
> getting weird errors that the "Crypto Mechanism" failed to initialize. Through
> a lot of trial and error, and reasons I don't quite remember, we put a 2-min
> delay in rc.local before starting Tomcat, and the problem went away.  I'm
> not a Linux nor a crypto guru.  But we traced it to some crypto file that we
> assumed was not available until later in the Linux boot sequence.  Anyway,
> the 2 minute delay made it go away, for over two years.  Then all of a sudden
> in the last day or so, it's back with a vengeance.  It fails with the same 
> crypto
> error from 2 years ago in about 50% of the EC2 boot ups.  I tried bumping the
> wait to 3 min, and no change.
> 
> I need help.  Our whole production environment is unstable now since every
> time an ASG brings a new instance online, I've got a 50-50 chance that
> tomcat is going to die (and the health check doesn't catch it, but that's a
> different issue).
> 
> There are no errors in the Tomcat boot sequence logs.  But the first time and
> every subsequent time I try to get a connection from the DataSource pool, I
> get the stack dump shown below.
> 
> I figure it has to be a timing/race condition.  But I have no clue what to do 
> to
> fix it.  I'm baffled that it worked for two years, and now fails every other
> time I start an instance.  And every instance is running copies of the exact
> same Amazon Machine Image.  The same EC2 will come up clean 50% of the
> time the next time it boots.
> 
> Can somebody with Tomcat/Crypto/Linux knowledge unravel what's going
> on here?  Thx
> 
> java.lang.ExceptionInInitializerError
>      at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
>      at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:190)
>      at
> java.base/sun.security.ssl.SSLCipher.isTransformationAvailable(SSLCipher.jav
> a:509)
>      at java.base/sun.security.ssl.SSLCipher.(SSLCipher.java:498)
>      at java.base/sun.security.ssl.SSLCipher.(SSLCipher.java:81)
>      at
> java.base/sun.security.ssl.CipherSuite.(CipherSuite.java:65)
>      at
> java.base/sun.security.ssl.SSLContextImpl.getApplicableSupportedCipherSuit
> es(SSLContextImpl.java:348)
>      at
> java.base/sun.security.ssl.SSLContextImpl$AbstractTLSContext.(SSLC
> ontextImpl.java:580)
>      at java.base/java.lang.Class.forName0(Native Method)
>      at java.base/java.lang.Class.forName(Class.java:315)
> ...
> 
>      at
> com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:
> 948)
>      at
> com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:818)
>      at com.mysql.cj.jdbc.ConnectionImpl.(ConnectionImpl.java:448)
>      at
> com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
>      at
> com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:
> 198)
>      at
> org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(
> DriverConnectionFactory.java:52)
>      at
> org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(Po
> olableConnectionFactory.java:415)
>      at
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory
> (BasicDataSource.java:111)
>      at
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnection
> Factory(BasicDataSource.java:649)
>      at
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDa
> taSource.java:532)
>      at
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataS
> ource.java:731)
>      at jwm.db.DBData.getConnection(DBData.java:506)    my call to get
> a db connection from connection pool 
> 
> ...
> 
> Caused by: java.lang.SecurityException: Can not initialize cryptographic
> mechanism
>      at
> java.base/javax.crypto.JceSecurity.(JceSecurity.java:120) ... 86 mo
> Caused by: java.lang.SecurityException: Can't read cryptographic policy
> directory: unlimited
>      at
> java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:
> 326)
>      at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:111)
>      at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
>      at java.base/java.security.AccessController.doPrivileged(Native
> Method)
>      at
> java.base/javax.crypto.JceSecurity.(JceSecurity.java:107)
>      ... 86 more
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Could it be this issue?

AW: problem with SSL connection java.security.NoSuchAlgorithmException: Error constructing implementation

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Ivano,

> -Ursprüngliche Nachricht-
> Von: Ivano Luberti 
> Gesendet: Donnerstag, 8. Juni 2023 12:10
> An: users@tomcat.apache.org
> Betreff: problem with SSL connection
> java.security.NoSuchAlgorithmException: Error constructing implementation
> 
> Hi, all I have the following problem.
> 
> My web application executes an SSL connection but fails with the following
> exception
> 
> >  AxisFault: java.security.NoSuchAlgorithmException: Error constructing
> > implementation (algorithm: Default, provider: SunJSSE, class:
> > sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> > org.apache.axis2.AxisFault,makeFault,430
> > org.apache.axis2.transport.http.HTTPSender,sendViaPost,197
> > org.apache.axis2.transport.http.HTTPSender,send,75
> >
> org.apache.axis2.transport.http.CommonsHTTPTransportSender,writeMessa
> g
> > eWithCommons,404
> >


Here it is visible, that the Axis Client can't connect to the server.
It has nothing to do with Tomcat in my opinion.
The crypt algorithms are provided by the JDK (or separate libraries).

Your program acts as a client, connecting to a server. Therefore Tomcat is not 
involved in this case.

If the endpoint of the service is public available, you can do a scan with e.g. 
https://www.ssllabs.com/ssltest/ to inspect the offered ciphers.
Also check, if the certificates are available and that the server is configured 
with the intermediates.

> org.apache.axis2.transport.http.CommonsHTTPTransportSender,invoke,231
> > org.apache.axis2.engine.AxisEngine,send,443
> > org.apache.axis2.description.OutInAxisOperationClient,send,406
> > org.apache.axis2.description.OutInAxisOperationClient,executeImpl,229
> > org.apache.axis2.client.OperationClient,execute,165
> > it.sella.ecomm.WSCryptDecryptStub,encrypt,197
> > it.archicoop.met.sistemapagamento.bancasella.wscryptdecryptclient.WSCl
> > ient,encrypt,61
> > it.archimede.met.backoffice.pagamento.GestionePagamento,encrypt,75
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,encrypt,379
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,pagaConCartaDiCre
> > dito,328
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,paga,112
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,pagaHiddenIframe,
> > 452
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,doGet,585
> > javax.servlet.http.HttpServlet,service,670
> > javax.servlet.http.HttpServlet,service,779
> > org.apache.catalina.core.ApplicationFilterChain,internalDoFilter,227
> > org.apache.catalina.core.ApplicationFilterChain,doFilter,162
> > org.apache.tomcat.websocket.server.WsFilter,doFilter,53
> > org.apache.catalina.core.ApplicationFilterChain,internalDoFilter,189
> > org.apache.catalina.core.ApplicationFilterChain,doFilter,162
> > org.apache.catalina.core.StandardWrapperValve,invoke,197
> > org.apache.catalina.core.StandardContextValve,invoke,97
> > org.apache.catalina.authenticator.AuthenticatorBase,invoke,541
> > org.apache.catalina.valves.AbstractAccessLogValve,invoke,687
> > org.apache.catalina.core.StandardHostValve,invoke,135
> > org.apache.catalina.valves.ErrorReportValve,invoke,92
> > org.apache.catalina.valves.AbstractAccessLogValve,invoke,687
> > org.apache.catalina.core.StandardEngineValve,invoke,78
> > org.apache.catalina.connector.CoyoteAdapter,service,360
> > org.apache.coyote.http11.Http11Processor,service,399
> > org.apache.coyote.AbstractProcessorLight,process,65
> > org.apache.coyote.AbstractProtocol$ConnectionHandler,process,893
> > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor,doRun,1789
> > org.apache.tomcat.util.net.SocketProcessorBase,run,49
> > org.apache.tomcat.util.threads.ThreadPoolExecutor,runWorker,1191
> > org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker,run,659
> > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable,run,61
> > java.lang.Thread,run,750
> > it.archimede.met.backoffice.pagamento.GestionePagamento,encrypt,109
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,encrypt,379
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,pagaConCartaDiCre
> > dito,328
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,paga,112
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,pagaHiddenIframe,
> > 452
> > it.archimede.met.turisti.servlet.NuovoOrdineAcquista,doGet,585
> > javax.servlet.http.HttpServlet,service,670
> > javax.servlet.http.HttpServlet,service,779
> > org.apache.catalina.core.ApplicationFilterChain,internalDoFilter,227
> > org.apache.catalina.core.ApplicationFilterChain,doFilter,162
> > org.apache.tomcat.websocket.server.WsFilter,doFilter,53
> > org.apache.catalina.core.ApplicationFilterChain,internalDoFilter,189
> > org.apache.catalina.core.ApplicationFilterChain,doFilter,162
> > org.apache.catalina.core.StandardWrapperValve,invoke,197
> > org.apache.catalina.core.StandardContextValve,invoke,97
> > org.apache.catalina.authenticator.AuthenticatorBase,invoke,541
> > org.apache.catalina.valves.AbstractAccessLogValve,invoke,687
> > 

AW: Tomcat web server restarts automatically

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Thomson,

> -Ursprüngliche Nachricht-
> Von: Thomson Waghmare 
> Gesendet: Dienstag, 6. Juni 2023 07:44
> An: users@tomcat.apache.org
> Betreff: Tomcat web server restarts automatically
> 
> Hi Team,
> 
> We have Tomcat web server as a service that has 4 web applications
> deployed on it. One of them is ALARMCFG, an alarm reporting application.
> Sometimes this web server is restarting automatically, we don't have
> anything logged in the logs of deployed applications.
> 
> Want to know the reason of this web server restart. The frequency is
> random, sometimes daily, sometimes twice a day, sometimes twice a week.
> Can someone help in understanding what is the problem and what else has to
> be checked.
> 
> Java version - jdk1.8.0_333
> Tomcat version - apache-tomcat-8.5.79
> 
> *web server restart logs*
> {root} #: journalctl -u abc-webserver
> 
> Mar 01 15:34:45 rc5abcco systemd[1]: abc-webserver.service: main
> process exited, code=killed, status=6/ABRT
> Mar 01 15:34:45 rc5abcco systemd[1]: Unit abc-webserver.service entered
> failed state.
> Mar 01 15:34:45 rc5abcco systemd[1]: abc-webserver.service failed.
> Mar 01 15:35:00 rc5abcco systemd[1]: abc-webserver.service holdoff time
> over, scheduling restart.
> Mar 01 15:35:00 rc5abcco systemd[1]: Stopped The abc Webserver
> Service.
> Mar 01 15:35:00 rc5abcco systemd[1]: Starting The abc Webserver
> Service...
> Mar 01 15:35:12 rc5abcco abc_smf_start_stop.sh[2532]: webserver is
> running OK
> Mar 01 15:35:12 rc5abcco systemd[1]: Started The abc Webserver Service.
> Mar 01 22:33:36 rc5abcco systemd[1]: abc-webserver.service: main
> process exited, code=killed, status=6/ABRT
> Mar 01 22:33:36 rc5abcco systemd[1]: Unit abc-webserver.service entered
> failed state.
> Mar 01 22:33:36 rc5abcco systemd[1]: abc-webserver.service failed.
> Mar 01 22:33:51 rc5abcco systemd[1]: abc-webserver.service holdoff time
> over, scheduling restart.
> Mar 01 22:33:51 rc5abcco systemd[1]: Stopped The abc Webserver
> Service.
> Mar 01 22:33:51 rc5abcco systemd[1]: Starting The abc Webserver
> Service...
> Mar 01 22:34:02 rc5abcco abc_smf_start_stop.sh[44678]: webserver is
> running OK
> Mar 01 22:34:02 rc5abcco systemd[1]: Started The abc Webserver Service.
> .
> .
> .
> Jun 01 09:48:58 rc5abcco systemd[1]: Stopped The abc Webserver Service.
> Jun 01 09:49:10 rc5abcco systemd[1]: Started The abcWebserver Service.
> 
> We have Tomcat web server as a service that has 4 web applications
> deployed on it. One of them is ALARMCFG, an alarm reporting application.
> Sometimes this web server is restarting automatically, we don't have
> anything logged in the logs of deployed applications.
> 
> Want to know the reason of this web server restart. The frequency is
> random, sometimes daily, sometimes twice a day, sometimes twice a week.
> Can someone help in understanding what is the problem and what else has to
> be checked.
> 
> Java version - jdk1.8.0_333
> Tomcat version - apache-tomcat-8.5.79
> web server restart logs
> 
> 
> {root} #: journalctl -u abc-webserver
> 
> Mar 01 15:34:45 rc5abcco systemd[1]: abc-webserver.service: main
> process exited, code=killed, status=6/ABRT
> Mar 01 15:34:45 rc5abcco systemd[1]: Unit abc-webserver.service entered
> failed state.
> Mar 01 15:34:45 rc5abcco systemd[1]: abc-webserver.service failed.
> Mar 01 15:35:00 rc5abcco systemd[1]: abc-webserver.service holdoff time
> over, scheduling restart.
> Mar 01 15:35:00 rc5abcco systemd[1]: Stopped The abc Webserver
> Service.
> Mar 01 15:35:00 rc5abcco systemd[1]: Starting The abc Webserver
> Service...
> Mar 01 15:35:12 rc5abcco abc_smf_start_stop.sh[2532]: webserver is
> running OK
> Mar 01 15:35:12 rc5abcco systemd[1]: Started The abc Webserver Service.
> Mar 01 22:33:36 rc5abcco systemd[1]: abc-webserver.service: main
> process exited, code=killed, status=6/ABRT
> Mar 01 22:33:36 rc5abcco systemd[1]: Unit abc-webserver.service entered
> failed state.
> Mar 01 22:33:36 rc5abcco systemd[1]: abc-webserver.service failed.
> Mar 01 22:33:51 rc5abcco systemd[1]: abc-webserver.service holdoff time
> over, scheduling restart.
> Mar 01 22:33:51 rc5abcco systemd[1]: Stopped The abc Webserver
> Service.
> Mar 01 22:33:51 rc5abcco systemd[1]: Starting The abc Webserver
> Service...
> Mar 01 22:34:02 rc5abcco abc_smf_start_stop.sh[44678]: webserver is
> running OK
> Mar 01 22:34:02 rc5abcco systemd[1]: Started The abc Webserver Service.
> .
> .
> .
> Jun 01 09:48:58 rc5abcco systemd[1]: Stopped The abc Webserver Service.
> Jun 01 09:49:10 rc5abcco systemd[1]: Started The abcWebserver Service
> 
> *Catalina.out*
> # A fatal error has been detected by the Java Runtime Environment:
> #
> #  SIGSEGV (0xb) at pc=0x7fe638000368, pid=54728,
> tid=0x7fe625309700
> #
> # JRE version: Java(TM) SE 

AW: AW: Re-Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Mark,

> -Ursprüngliche Nachricht-
> Von: Mark Thomas 
> Gesendet: Freitag, 2. Juni 2023 14:18
> An: users@tomcat.apache.org
> Betreff: Re: AW: Re-Cannot upload an image file from a deployed JSP page in
> Tomcat 10
> 
> On 02/06/2023 08:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello Lauri,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Lauri 
> >> Gesendet: Freitag, 2. Juni 2023 08:58
> >> An: Tomcat Users List 
> >> Betreff: Re-Cannot upload an image file from a deployed JSP page in
> >> Tomcat
> >> 10
> >>
> >> @Thomas:
> >>
> >> I have made a test using the request.getParts() API, as mentioned here:
> >> https://docs.oracle.com/javaee/6/tutorial/doc/glrbb.html
> >>
> >> The test upload application has been modified as:
> >>
> >> -- web.xml
> >> ---
> >> http://xmlns.jcp.org/xml/ns/javaee;
> >>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> >>   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
> >>   
> >> http://xmlns.jcp.org/xml/ns/javaee/web-app_5_0.xsd;
> >>   version="5.0">
> >> 
> >> ---
> >>
> >> -- index.html
> >> ---
> >> 
> >> 
> >> 
> >> 
> >> Upload Text File
> >> 
> >> 
> >>  Upload File
> >>  
> >>  
> >>  
> >>  
> >> 
> >> 
> >> ---
> >>
> >> -- upload.jsp
> >> ---
> >> <%@ page import="java.io.*, java.util.*, javax.servlet.*,
> javax.servlet.http.*"
> >> %> <%
> >>Part part = request.getPart("file");
> >>if (part != null) {
> >>  InputStream stream = part.getInputStream();
> >>  File file = new File("/tmp/" + part.getSubmittedFileName());
> >>  FileOutputStream outputStream = new FileOutputStream(file);
> >>  byte[] buffer = new byte[4096];
> >>  int bytesRead = -1;
> >>  while ((bytesRead = stream.read(buffer)) != -1) {
> >>outputStream.write(buffer, 0, bytesRead);
> >>  }
> >>  outputStream.close();
> >>  stream.close();
> >>} else {
> >>  out.println("No file uploaded.");
> >>}
> >> %>
> >> ---
> >>
> >> The @MultipartConfig is defined in the HTML file.
> >
> > The @MultipartConfig must be used in the servlet.
> > Here are examples:
> > https://stackoverflow.com/questions/19145489/multipartconfig-override-
> > in-web-xml Multipart-Upload with the mentioned methods can't be done
> > with JSP-Files solely as far as I can see.
> 
> That is not correct. You CAN use multi-part upload with JSP files.
> Rather than using the annotation, you have to define the upload in web.xml.
> See an earlier post from me in this thread for some links to some examples.

Thanks for the correction!
Now I understand the example in your link.

The trick is:
   
   /temp
   

> Mark
> 
> -


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Re-Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Lauri,

> -Ursprüngliche Nachricht-
> Von: Lauri 
> Gesendet: Freitag, 2. Juni 2023 08:58
> An: Tomcat Users List 
> Betreff: Re-Cannot upload an image file from a deployed JSP page in Tomcat
> 10
> 
> @Thomas:
> 
> I have made a test using the request.getParts() API, as mentioned here:
> https://docs.oracle.com/javaee/6/tutorial/doc/glrbb.html
> 
> The test upload application has been modified as:
> 
> -- web.xml
> ---
> http://xmlns.jcp.org/xml/ns/javaee;
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
>  
> http://xmlns.jcp.org/xml/ns/javaee/web-app_5_0.xsd;
>  version="5.0">
> 
> ---
> 
> -- index.html
> ---
> 
> 
> 
> 
> Upload Text File
> 
> 
> Upload File
> 
> 
> 
> 
> 
> 
> ---
> 
> -- upload.jsp
> ---
> <%@ page import="java.io.*, java.util.*, javax.servlet.*, 
> javax.servlet.http.*"
> %> <%
>   Part part = request.getPart("file");
>   if (part != null) {
> InputStream stream = part.getInputStream();
> File file = new File("/tmp/" + part.getSubmittedFileName());
> FileOutputStream outputStream = new FileOutputStream(file);
> byte[] buffer = new byte[4096];
> int bytesRead = -1;
> while ((bytesRead = stream.read(buffer)) != -1) {
>   outputStream.write(buffer, 0, bytesRead);
> }
> outputStream.close();
> stream.close();
>   } else {
> out.println("No file uploaded.");
>   }
> %>
> ---
> 
> The @MultipartConfig is defined in the HTML file.

The @MultipartConfig must be used in the servlet.
Here are examples: 
https://stackoverflow.com/questions/19145489/multipartconfig-override-in-web-xml
 
Multipart-Upload with the mentioned methods can't be done with JSP-Files solely 
as far as I can see.
Only Servlets can be annotated or declared with MultipartConfig

I suggest to read some pages about servlets and also take a look at 
try-with-ressource.
Your topic is more about servlet and jsp programming and less about tomcat.



> When deployed in Tomcat 10, I still get these errors:
> 
> ---
> org.apache.jasper.JasperException: An exception occurred processing
> [/upload.jsp] at line [3]
> 
> 1: <%@ page import="java.io.*, java.util.*, javax.servlet.*,
> javax.servlet.http.*" %>
> 2: <%
> 3:   Part part = request.getPart("file");
> 4:   if (part != null) {
> 5: InputStream stream = part.getInputStream();
> 6: File file = new File("/tmp/" + part.getSubmittedFileName());
> ---
> 
> @Mark:
> 
> Refering to:
> https://stackoverflow.com/questions/37965890/add-annotation-to-jsp
> 
> I do not upload a (image) file to the database, but on the server (/tmp).
> 
> Kind Regards
> 
> 
> From: Mark Thomas 
> Sent: Thursday, June 1, 2023 11:29 AM
> To: users@tomcat.apache.org 
> Subject: Re: Re-Cannot upload an image file from a deployed JSP page in
> Tomcat 10
> 
> On 01/06/2023 10:18, Torsten Krah wrote:
> > Am Donnerstag, dem 01.06.2023 um 08:52 + schrieb Lauri:
> >>> You mention a servlet part, but I do not use a servlet.
> >>> All the code is contained in the JSP page.
> >
> > You need to divide that code in a JSP and in your upload servlet as
> > you need to provide the @MultipartConfig on that servlet which handles
> > your upload.
> > Without that you will get:
> >
> > Unable to process parts as no multi-part configuration has been
> > provided
> >
> > as an exception when accessing the request.getParts() API.
> >
> > The whole thing is all written there btw:
> >
> > https://docs.oracle.com/javaee/6/tutorial/doc/glrbb.html
> >
> > I don't know - maybe Mark does - if you can annotate a JSP page, had
> > never seen it or read about that so my best guess is, you can't do
> > that and you need to use a servlet + jsp unless you want to overwrite
> > the JspServlet from Tomcat with a custom one which does have that
> > annotation and handles the Jsp stuff.
> 
> You can do this via web.xml. See the following SO question for an example
> specific to this question:
> 
> https://stackoverflow.com/questions/37965890/add-annotation-to-jsp
> 
> For some more general examples:
> 
> https://github.com/apache/tomcat/blob/main/test/webapp/WEB-
> INF/web.xml
> 
> Search for ""
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Re-Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Torsten Krah 
> Gesendet: Donnerstag, 1. Juni 2023 11:18
> An: users@tomcat.apache.org
> Betreff: Re: Re-Cannot upload an image file from a deployed JSP page in
> Tomcat 10
> 
> Am Donnerstag, dem 01.06.2023 um 08:52 + schrieb Lauri:
> > > You mention a servlet part, but I do not use a servlet.
> > > All the code is contained in the JSP page.
> 
> You need to divide that code in a JSP and in your upload servlet as you need
> to provide the @MultipartConfig on that servlet which handles your upload.
> Without that you will get:
> 
> Unable to process parts as no multi-part configuration has been provided
> 
> as an exception when accessing the request.getParts() API.
> 
> The whole thing is all written there btw:
> 
> https://docs.oracle.com/javaee/6/tutorial/doc/glrbb.html
> 
> I don't know - maybe Mark does - if you can annotate a JSP page, had never
> seen it or read about that so my best guess is, you can't do that and you need
> to use a servlet + jsp unless you want to overwrite the JspServlet from
> Tomcat with a custom one which does have that annotation and handles the
> Jsp stuff.
> 
> kind regards
> 
> Torsten
> 

In general it is good practice to separate logic and layout.
JSP are usually for providing the view / layout.
Logic / java code should be used in servlets and other java classes (e.g. 
models).

So it is recommended anyway to move java code from JSP to java classes.
See https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller 

Greetings,
Thomas
 

AW: Re-Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Lauri 
> Gesendet: Mittwoch, 31. Mai 2023 11:04
> An: Tomcat Users List 
> Betreff: Re-Cannot upload an image file from a deployed JSP page in Tomcat
> 10
> 
> Ho Thomas,
> 
> I still do not understand everything.
> 
> I understood the following:
> 
> 1)
> From Tomcat 10 and onwards there has been a move from Java EE to Jakarta
> EE as part of the transfer of Java EE to the Eclipse Foundation, the primary
> package for all implemented APIs has changed from javax.* to jakarta.*.
> 
> 2)
> I understood from your post that the package commons-fileupload has
> dependencies to the old javax package.
> 
> 3)
> I can remove the commons-fileupload-* jar files from my application
> (because of what has been said above):
> /u01/tomcat/base/middleware/tomcat10/webapps/TESTS/WEB-INF/lib:
> commons-fileupload-1.5-test-sources.jar
> commons-fileupload-1.5-tests.jar
> commons-fileupload-1.5-sources.jar
> commons-fileupload-1.5-javadoc.jar
> commons-fileupload-1.5.jar
> 
> Can you tell me what I should modify on the JSP file that I have posted if I
> want to upload a binary file (image,...) ?
> What modules should I use if these are wrong ?
> 
> <%@ page import="org.apache.commons.fileupload.*" %> => TO REMOVE
> <%@ page import="org.apache.commons.fileupload.disk.*" %> => TO
> REMOVE <%@ page import="org.apache.commons.fileupload.servlet.*" %>
> => TO REMOVE <%@ page import="java.io.*" %> <%@ page
> import="java.util.*" %> <%@ page import="jakarta.servlet.*" %> <%@ page
> import="jakarta.servlet.http.*" %> <%@ page import="javax.servlet.http.*"
> %> <%@ page import="jakarta.sql.*" %> <%@ page import="java.sql.*" %>
> <%@ page
> import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %> =>
> TO REMOVE <%@ page
> import="org.apache.commons.fileupload.FileItemFactory" %> => TO
> REMOVE
> 
> Kind Regards,
> 
> Lauri

You can access the file-stream like:
Part part = request.getPart("file");
InputStream stream = part.getInputStream();

Here are some examples:
http://www.java2s.com/example/java-api/javax/servlet/http/httpservletrequest/getparts-0-0.html

Greetings,
Thomas


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Re-Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Lauri,

> -Ursprüngliche Nachricht-
> Von: Lauri 
> Gesendet: Dienstag, 30. Mai 2023 08:20
> An: Tomcat Users List 
> Betreff: Re-Cannot upload an image file from a deployed JSP page in Tomcat
> 10
> 
> Hi Thomas,
> 
> I get returned "Page no found" when I navigate through:
> https://www.linuxquestions.org/questions/linux-server-73/fileupload-class-
> 
> I don't understand the relation between the code in my JSP page and the link
> you provided me:
> https://docs.oracle.com/javaee/6/tutorial/doc/gmhba.html
> 
> What do you mean exactly ?
> 
> Thanks by advance for any indications.
> 
> Kind Regards,
> 
> Lauri
> 
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Monday, May 29, 2023 8:39 PM
> To: Tomcat Users List 
> Subject: AW: Cannot upload an image file from a deployed JSP page in
> Tomcat 10
> 
> Hallo Lauri,
> 
> > -Ursprüngliche Nachricht-
> > Von: Lauri 
> > Gesendet: Montag, 29. Mai 2023 11:36
> > An: users@tomcat.apache.org
> > Betreff: Cannot upload an image file from a deployed JSP page in
> > Tomcat 10
> >
> > 1) Summary of the problem:
> >
> > From Tomcat 10 and onwards there has been a move from Java EE to
> > Jakarta EE as part of the transfer of Java EE to the Eclipse
> > Foundation, the primary package for all implemented APIs has changed
> from javax.* to jakarta.*.
> >
> > I have a JSP page deployed in Tomcat 10 that is intended to upload a
> > file from the desktop (Windows 10) to the server where Tomcat 10 is
> > running (OEL 8).
> > I am unable to upload an image, and I get this error:
> > -
> > org.apache.jasper.JasperException: Unable to compile class for JSP:
> > An error occurred at line: [24] in the jsp file: [/index.jsp] The type
> > javax.servlet.http.HttpServletRequest cannot be resolved. It is
> > indirectly referenced from required type
> > org.apache.commons.fileupload.servlet.ServletFileUpload
> > 21: ServletFileUpload upload = new ServletFileUpload(factory);
> > 22:
> > 23: // Parse the request
> > 24: List items = upload.parseRequest(request);
> > 25:
> > 26: // Process the uploaded items
> > 27: Iterator iter = items.iterator();
> > -
> >
> > My application name: TESTS
> > I have these libraries for the TESTS application:
> > /u01/tomcat/base/middleware/tomcat10/webapps/TESTS/WEB-INF/lib:
> > commons-fileupload-1.5-test-sources.jar
> > commons-fileupload-1.5-tests.jar
> > commons-fileupload-1.5-sources.jar
> > commons-fileupload-1.5-javadoc.jar
> > commons-fileupload-1.5.jar
> >
> > I have in my Tomcat 10 this library:
> > /u01/tomcat/base/middleware/tomcat10/lib:
> > -rw-r--r--. 1 tomcat tomcat 365905 Apr 25 12:16 servlet-api.jar
> >
> > 2) The deployed JSP page:
> >
> > -
> > <%@ page import="org.apache.commons.fileupload.*" %> <%@ page
> > import="org.apache.commons.fileupload.disk.*" %> <%@ page
> > import="org.apache.commons.fileupload.servlet.*" %> <%@ page
> > import="java.io.*" %> <%@ page import="java.util.*" %> <%@ page
> > import="jakarta.servlet.*" %> <%@ page import="jakarta.servlet.http.*"
> > %> <%@ page import="jakarta.sql.*" %> <%@ page import="java.sql.*" %>
> > <%@ page
> > import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %>
> <%@
> > page import="org.apache.commons.fileupload.FileItemFactory" %>
> >
> > <%
> > // Set the upload directory
> > String uploadDir = "/tmp/";
> >
> > // Create a factory for disk-based file items FileItemFactory factory
> > = new DiskFileItemFactory();
> >
> > // Create a new file upload handler
> > ServletFileUpload upload = new ServletFileUpload(factory);
> >
> > // Parse the request
> > List items = upload.parseRequest(request);
> >
> > // Process the uploaded items
> > Iterator iter = items.iterator(); while (iter.hasNext()) {
> > FileItem item = iter.next();
> >
> > // If the item is a file, save it to the upload directory
> > if (!item.isFormField()) {
> > String fileName = new File(item.getName()).getName();
> > String filePath = uploadDir + fileName;
> > File uploadedFile = new File(filePath);
> > item.write(uploadedFile);
> > }
> > }
> > %>
> > 
> > 
> > File Upload Example  

AW: Cannot upload an image file from a deployed JSP page in Tomcat 10

[Thomas Hoffmann (Speed4Trade GmbH)]

Hallo Lauri,

> -Ursprüngliche Nachricht-
> Von: Lauri 
> Gesendet: Montag, 29. Mai 2023 11:36
> An: users@tomcat.apache.org
> Betreff: Cannot upload an image file from a deployed JSP page in Tomcat 10
> 
> 1) Summary of the problem:
> 
> From Tomcat 10 and onwards there has been a move from Java EE to Jakarta
> EE as part of the transfer of Java EE to the Eclipse Foundation, the primary
> package for all implemented APIs has changed from javax.* to jakarta.*.
> 
> I have a JSP page deployed in Tomcat 10 that is intended to upload a file
> from the desktop (Windows 10) to the server where Tomcat 10 is running
> (OEL 8).
> I am unable to upload an image, and I get this error:
> -
> org.apache.jasper.JasperException: Unable to compile class for JSP:
> An error occurred at line: [24] in the jsp file: [/index.jsp] The type
> javax.servlet.http.HttpServletRequest cannot be resolved. It is indirectly
> referenced from required type
> org.apache.commons.fileupload.servlet.ServletFileUpload
> 21: ServletFileUpload upload = new ServletFileUpload(factory);
> 22:
> 23: // Parse the request
> 24: List items = upload.parseRequest(request);
> 25:
> 26: // Process the uploaded items
> 27: Iterator iter = items.iterator();
> -
> 
> My application name: TESTS
> I have these libraries for the TESTS application:
> /u01/tomcat/base/middleware/tomcat10/webapps/TESTS/WEB-INF/lib:
> commons-fileupload-1.5-test-sources.jar
> commons-fileupload-1.5-tests.jar
> commons-fileupload-1.5-sources.jar
> commons-fileupload-1.5-javadoc.jar
> commons-fileupload-1.5.jar
> 
> I have in my Tomcat 10 this library:
> /u01/tomcat/base/middleware/tomcat10/lib:
> -rw-r--r--. 1 tomcat tomcat 365905 Apr 25 12:16 servlet-api.jar
> 
> 2) The deployed JSP page:
> 
> -
> <%@ page import="org.apache.commons.fileupload.*" %> <%@ page
> import="org.apache.commons.fileupload.disk.*" %> <%@ page
> import="org.apache.commons.fileupload.servlet.*" %> <%@ page
> import="java.io.*" %> <%@ page import="java.util.*" %> <%@ page
> import="jakarta.servlet.*" %> <%@ page import="jakarta.servlet.http.*" %>
> <%@ page import="jakarta.sql.*" %> <%@ page import="java.sql.*" %>
> <%@ page
> import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %> <%@
> page import="org.apache.commons.fileupload.FileItemFactory" %>
> 
> <%
> // Set the upload directory
> String uploadDir = "/tmp/";
> 
> // Create a factory for disk-based file items FileItemFactory factory = new
> DiskFileItemFactory();
> 
> // Create a new file upload handler
> ServletFileUpload upload = new ServletFileUpload(factory);
> 
> // Parse the request
> List items = upload.parseRequest(request);
> 
> // Process the uploaded items
> Iterator iter = items.iterator(); while (iter.hasNext()) {
> FileItem item = iter.next();
> 
> // If the item is a file, save it to the upload directory
> if (!item.isFormField()) {
> String fileName = new File(item.getName()).getName();
> String filePath = uploadDir + fileName;
> File uploadedFile = new File(filePath);
> item.write(uploadedFile);
> }
> }
> %>
> 
> 
> File Upload Example
> 
> 
> File Upload Example
> 
> 
> 
> 
> 
> 
> 
> -
> 
> I have found that it looks like:
> https://www.linuxquestions.org/questions/linux-server-73/fileupload-class-
> not-working-with-tomcat-10-a-4175710078/
> But in my situation, it seems to be a different problem.
> 
> Does someone know if this is related to a bug ?
> Do I use the correct servlet-api jar package ?
> Do Tomcat 10 need to be specifically configured for using servlet-api and
> jakarta EE packages ?
> Does someone know what can be the problem ?
> 
> Thanks by advance for any tip(s) and/or suggestion(s).

I had the same issue because I used internal Tomcat classes.
In the past the servlet specification didn't have methods to deal with 
multipart uploads.
Since Servlet 3.0 there are methods for retrieving the uploads:
https://docs.oracle.com/javaee/6/tutorial/doc/gmhba.html

I replace the ServletFileUpload and used standard methods like getParts().
This worked for me.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: WebdavServlet protected resources cannot be opened in Word

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Mark Thomas 
> Gesendet: Mittwoch, 24. Mai 2023 13:18
> An: users@tomcat.apache.org
> Betreff: Re: WebdavServlet protected resources cannot be opened in Word
> 
> On 24/05/2023 08:03, Кирилл Бубович wrote:
> > We use webdav servlet
> >
>  ervlets/WebdavServlet.java> to enable editing docx documents. We also use
> the |ms-word:ofe|u|https://www.example.com/document.docx
> | scheme in our application to
> be able to edit documents. The Office URI Scheme documentation
>  schemes> contains a "Security Considerations" section for all schemes. These
> sections describe the need to guard against opening documents from
> untrusted remote systems.
> >
> > We have tried enabling basic AUTH to secure documents, which is
> > probably not the best approach since credentials will constantly be
> > moving over the network, but this is just for testing to understand how it
> works.
> > When we try to open a protected document in Word, we see a form asking
> > for credentials.
> >
> > image.png
> >
> > However, the entered credentials do not affect the application
> > request, and the request still does not contain an authorization header.
> >
> > How to properly implement document protection and how to make it so
> > that Word client can log in in the appropriate way? Thanks in advance
> > for your help!
> 
> The Microsoft WebDAV implementations have a history of non-specification
> compliant behaviour. So much so that Tomcat has this:
> 
> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filt
> ers/WebdavFixFilter.java
> 
> It has been a long time (many years) since I last looked at that code so my
> hope was that things had improved.
> 
> It is possible that you are seeing a Tomcat bug but, given past experience, we
> are only going to be able investigate this and produce useful answers for you
> if we can test with *exactly* the same versions that you are using.
> 
> With that in mind, please provide exact version numbers for the following:
> 
> - Tomcat version used
> - OS Tomcat is running on
> - Java version Tomcat is running on
> 
> - Word version client is using
> - OS client is running on
> 
> - port client is using to connect to WebDAV
> - is TLS being used?
> - context path WebDAV is deployed to
> 
> Ideally, it would be helpful if you could provide a full URI for a resource 
> you
> are trying to access via WebDAV.
> 
> Thanks,
> 
> Mark
> 

We are using MS Office with Tomcat WebDav-Servlet without problems.

Configuration:
- Port 80 / 443 (80 redirects to 443)
- Kerberos Auth / SSO
- Tomcat 10.1 running on Ubuntu 22.04 LTS (Tomcat 9 and 10 also worked in the 
past)
- Browser: Chrome + Firefox latest version
- used URL: ms-word:ofe|u|https://domain/webdav/attachment/test.docx

The readonly parameter doesn’t work as described by MS, therefore we prevented 
writing via web.xml

  readonly
  true


Good luck!
Thomas

AW: AW: AW: Too many certificates in chain?!? Help!

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello James,

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Freitag, 19. Mai 2023 00:33
> An: Tomcat Users List 
> Betreff: Re: AW: AW: Too many certificates in chain?!? Help!
> 
> On 5/18/23 1:57 PM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> 
> > So the error is raised not by tomcat but by the ibm JDK.
> 
> Yes. The results reported in my latest email say as much.
> 
> Those results also say that there's something different -- radically 
> different,
> judging from the amount of red that showed up in Hex Fiend -- between a
> keystore signed and chained on my new M2 Mac Mini, and a keystore signed
> and chained on my old 2017 iMac, both starting from the same original
> keystore, and the same CA certs, using the same version of KeyStore
> Explorer.
> 
> Just now, I thought I'd found something: I thought maybe it was the "Zulu-8"
> ARM-native Java 8 JVM that is currently the default on the M2 Mini. I
> temporarily pulled Zulu-8 out, forcing KeyStore Explorer to run under an
> Intel-native JVM. I tried signing and chaining the keystore, putting it on the
> customer box, and doing a keytool -list -v on it. It liked it. No 
> out-of-memory,
> no excessive (and maddeningly unspecified) chain length. And I was
> immediately certain that it was the Zulu-8.
> 
> But then I tried putting Zulu-8 back in, and doing the sign-and-chain
> operation under it. And it passed the keytool test just fine. Twice, with a
> reboot of my Mini in between.
> 
> Just for grins, I also ran the keytool test on all five keystore versions on 
> our
> cloud AS/400 (where it would NOT be good to shut down the Tomcat server).
> There, too, the *only* one that failed was the one that failed on the
> customer box. I did, however, notice something else:
> all five of them are 5486 bytes long at this end. As is the one that I sent 
> back
> from the customer box. And all of the ones that worked properly are 5486
> bytes as received on both remote AS/400s. But the bad one was 5515 bytes
> long as received on both remote AS/400s!
> 
> I'm sorely tempted to fire up the local AS/400 I was using earlier today,
> AGAIN!, and see how big it was, as received (being transferred directly,
> rather than through a private FTP server).
> 
> At this point, I'm calling it a fluke. Some freak glitch with that specific 
> sign-
> and-chain operation, that caused AS/400s to not like it.
> Unless somebody else has a better explanation.
> 
> --
> JHHL
> 

I am not familiar with IBM JDK and AS 400.
Maybe you can create all the PEM-Files (base64 encoded), private/public key and 
intermediates and assemble the jks file on the target machine?

Greetings,
Thomas

AW: AW: Too many certificates in chain?!? Help!

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello James,

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Donnerstag, 18. Mai 2023 22:01
> An: Tomcat Users List 
> Betreff: Re: AW: Too many certificates in chain?!? Help!
> 
> On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Which version of tomcat do you use?
> > Is the stack trace truncated in your mail? Is there a "caused by ..." 
> > further
> down the stacktrace?
> >
> > It looks like the error is thrown deeper in SSLUtil when creating the ssl
> context.
> > Maybe you can post the full stack trace.
> 
> It just gets weirder.
> 
> FYI, The customer box is on Tomcat 8.5.73, running under IBM Java
> 8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0.
> 
> I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server
> (7.0.108, running under Java 6), and started plugging in keystores.
> First, I plugged in the initial self-signed keystore. No problem; launched 
> just
> fine. Then I plugged in the signed-and-chained keystore.
> Still no problem; launched just fine. Then I plugged in a copy of the signed-
> and-chained keystore that I'd sent back from the customer box.
> STILL no problem!
> 
> I also did a "keytool -list -v -keystore x.ks" on both the new keystore 
> and
> the one that worked, on my own Mac. No problems at all, and they looked
> very similar. But when I tried doing it on the customer AS/400, I got very
> similar error messages to what's in catalina.out.
> 
> I don't ordinarily send attachments to list servers, but the "how to ask
> questions the smart way" said it should be OK, if small and relevant, and
> stacktraces tend to get a bit garbled if sent inline, so I've attached a brief
> catalina.out excerpt.
> 
> --
> JHHL


The relevant line is:

Caused by: java.io.IOException: Too many certificates in chain
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)

So the error is raised not by tomcat but by the ibm JDK.
It seems the IBM version does something different than other JDKs

Unfortunately, I can't find any sources. Maybe its closed source from IBM.

Do you have to use the IBM JDK or can you use the same JDK as on your working 
machine?

Greetings,
Thomas

AW: Too many certificates in chain?!? Help!

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello James,

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Donnerstag, 18. Mai 2023 02:00
> An: Tomcat Users List 
> Betreff: Too many certificates in chain?!? Help!
> 
> Ladies and Gentlemen:
> 
> I just had to revert a customer Tomcat server immediately after plugging in a
> new keystore.
> 
> It failed in protocol handler initialization.
> 
>Caused by: java.lang.IllegalArgumentException: Too many certificates in
> chain   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstract
> JsseEndpoint.java:100)
>   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEn
> dpoint.java:72)
> 
>   at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246)
> 
>   at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161
> )
> 
>   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.j
> ava:222)
> 
>   at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599)
> 
>   at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protoc
> ol.java:80)
> 
>   at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
> 
>   . . .
> 
> I've never seen anything like this before. According to KeyStore Explorer
> 5.4.4, the chain consists of a root, an intermediate, and the signed 
> certificate
> for the web site. And the root and intermediate are exactly the same root
> and intermediate as the last good keystore.
> 
> Can anybody shed any light on what went wrong?
> 
> Tomorrow morning, I'm going to try plugging the keystore into a Tomcat
> server on an AS/400 in the office, to see if I can reproduce it.
> 
> --
> James H. H. Lampert
> 

Which version of tomcat do you use?
Is the stack trace truncated in your mail? Is there a "caused by ..." further 
down the stacktrace?

It looks like the error is thrown deeper in SSLUtil when creating the ssl 
context.
Maybe you can post the full stack trace.

Greetings,
Thomas

AW: Java Agent and Tomcat shutdown

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Peter,

> -Ursprüngliche Nachricht-
> Von: l...@kreuser.name 
> Gesendet: Donnerstag, 11. Mai 2023 16:16
> An: Tomcat Users List 
> Betreff: Re: Java Agent and Tomcat shutdown
> 
> Hi Thomas
> 
> > Am 11.05.2023 um 16:05 schrieb Thomas Hoffmann (Speed4Trade GmbH)
> :
> >
> > Hello,
> >
> > we are using a java agent to start a listening process (JMX proxy).
> >
> > The systemd file for tomcat looks like (snippet):
> > JAVA_OPTS=... -javaagent:/opt/runtime/jmxagent/jmxagent.jar
> > -Dorg.goktay.rmiregistry.port=15000 -Dorg.goktay.rmiserver.port=15001
> 
> 
> I do think that setting JAVA_OPTS is triggering this behavior: EVERY java
> process contains this rmi server with this conflicting port.
> 
> The way to go is using CATALINA_OPTS. The options go only into the start-
> process...
 
You are completely right. Everything makes sense now 
Thanks for the quick help!
Much appreciated!

> HTH
> 
> Peter
> 
> > ExecStart=/opt/apache-tomcat/bin/catalina.sh run
> > ExecStop=/opt/apache-tomcat/bin/catalina.sh stop 60
> >
> > When starting the service, everything works fine and the java agent is
> accessible via the opened port 15000.
> >
> > However, when stopping tomcat, it seems that a java process is started and
> tries to open the same port again:
> > 2670]: Exception in thread "main" 
> > java.lang.reflect.InvocationTargetException
> >at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethod
> AccessorImpl.java:77)
> >at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Delegatin
> gMethodAccessorImpl.java:43)
> >at java.base/java.lang.reflect.Method.invoke(Method.java:568)
> >at
> java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(In
> strumentationImpl.java:493)
> >at
> > java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPre
> > main(InstrumentationImpl.java:503)
> > Caused by: java.rmi.server.ExportException: Port already in use: 15000;
> nested exception is:
> >java.net.BindException: Address already in use
> >at
> java.rmi/sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:346)
> >at
> java.rmi/sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:2
> 43)
> >at
> java.rmi/sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:415
> )
> >at java.rmi/sun.rmi.transport.LiveRef.exportObject(LiveRef.java:147)
> >at
> java.rmi/sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:2
> 35)
> >at 
> > java.rmi/sun.rmi.registry.RegistryImpl.setup(RegistryImpl.java:223)
> >at 
> > java.rmi/sun.rmi.registry.RegistryImpl.(RegistryImpl.java:208)
> >at
> java.rmi/java.rmi.registry.LocateRegistry.createRegistry(LocateRegistry.java:20
> 3)
> >at org.goktay.jmx.JMXAgent.premain(JMXAgent.java:33)
> >... 6 more
> > Caused by: java.net.BindException: Address already in use
> >at java.base/sun.nio.ch.Net.bind0(Native Method)
> >at java.base/sun.nio.ch.Net.bind(Net.java:555)
> >at java.base/sun.nio.ch.Net.bind(Net.java:544)
> >at java.base/sun.nio.ch.NioSocketImpl.bind(NioSocketImpl.java:643)
> >at java.base/java.net.ServerSocket.bind(ServerSocket.java:388)
> >at java.base/java.net.ServerSocket.(ServerSocket.java:274)
> >at java.base/java.net.ServerSocket.(ServerSocket.java:167)
> >at
> java.rmi/sun.rmi.transport.tcp.TCPDirectSocketFactory.createServerSocket(TCP
> DirectSocketFactory.java:45)
> >at
> java.rmi/sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java
> :673)
> >at
> java.rmi/sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:335)
> >... 14 more
> > *** java.lang.instrument ASSERTION FAILED ***: "result" with message
> > agent load/premain call failed at
> > src/java.instrument/share/native/libinstrument/JPLISAgent.c line: 422
> >
> > The premain method is entered again and of course the port is already used.
> > Is there a way to stop tomcat without re-entering the java agent?
> > Using shutdown.sh shows the same problem.
> >
> > Thanks in advance!
> > Thomas
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Java Agent and Tomcat shutdown

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

we are using a java agent to start a listening process (JMX proxy).

The systemd file for tomcat looks like (snippet):
  JAVA_OPTS=... -javaagent:/opt/runtime/jmxagent/jmxagent.jar 
-Dorg.goktay.rmiregistry.port=15000 -Dorg.goktay.rmiserver.port=15001
  ExecStart=/opt/apache-tomcat/bin/catalina.sh run
  ExecStop=/opt/apache-tomcat/bin/catalina.sh stop 60

When starting the service, everything works fine and the java agent is 
accessible via the opened port 15000.

However, when stopping tomcat, it seems that a java process is started and 
tries to open the same port again:
2670]: Exception in thread "main" java.lang.reflect.InvocationTargetException
 at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
 at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.base/java.lang.reflect.Method.invoke(Method.java:568)
 at 
java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:493)
 at 
java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:503)
 Caused by: java.rmi.server.ExportException: Port already in use: 15000; nested 
exception is:
 java.net.BindException: Address already in use
 at 
java.rmi/sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:346)
 at 
java.rmi/sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:243)
 at 
java.rmi/sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:415)
 at java.rmi/sun.rmi.transport.LiveRef.exportObject(LiveRef.java:147)
 at 
java.rmi/sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:235)
 at java.rmi/sun.rmi.registry.RegistryImpl.setup(RegistryImpl.java:223)
 at java.rmi/sun.rmi.registry.RegistryImpl.(RegistryImpl.java:208)
 at 
java.rmi/java.rmi.registry.LocateRegistry.createRegistry(LocateRegistry.java:203)
 at org.goktay.jmx.JMXAgent.premain(JMXAgent.java:33)
 ... 6 more
 Caused by: java.net.BindException: Address already in use
 at java.base/sun.nio.ch.Net.bind0(Native Method)
 at java.base/sun.nio.ch.Net.bind(Net.java:555)
 at java.base/sun.nio.ch.Net.bind(Net.java:544)
 at java.base/sun.nio.ch.NioSocketImpl.bind(NioSocketImpl.java:643)
 at java.base/java.net.ServerSocket.bind(ServerSocket.java:388)
 at java.base/java.net.ServerSocket.(ServerSocket.java:274)
 at java.base/java.net.ServerSocket.(ServerSocket.java:167)
 at 
java.rmi/sun.rmi.transport.tcp.TCPDirectSocketFactory.createServerSocket(TCPDirectSocketFactory.java:45)
 at 
java.rmi/sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:673)
 at 
java.rmi/sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:335)
 ... 14 more
 *** java.lang.instrument ASSERTION FAILED ***: "result" with message agent 
load/premain call failed at 
src/java.instrument/share/native/libinstrument/JPLISAgent.c line: 422

The premain method is entered again and of course the port is already used.
Is there a way to stop tomcat without re-entering the java agent?
Using shutdown.sh shows the same problem.

Thanks in advance!
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Maven tomcat7:redeploy upload reset/retry

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Peter,

> -Ursprüngliche Nachricht-
> Von: Peter Rader 
> Gesendet: Dienstag, 2. Mai 2023 12:41
> An: users@tomcat.apache.org
> Betreff: Maven tomcat7:redeploy upload reset/retry
> 
> Hi Folks,
> 
> I am running a tomcat 8.5.50.
> 
> I try to upload a webapp using maven-tomcat7-plugin.
> 
> It worked very good for a couple of years. I did nothing new to the
> configuration.
> 
> Then I see broken pipes during build:
> 
> 
>     [INFO] Deploying war to http://www.foobar.de/manager/de.foobar.xxx-
> 1.0.0-SNAPSHOT[https://deref-
> gmx.net/mail/client/1mSXrDjDU9k/dereferrer/?redirectUrl=http%3A%2F%2Fw
> ww.foobar.de%2Fmanager%2Fde.foobar.xxx-1.0.0-SNAPSHOT]
>     Uploading: http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-
> 1.0.0-SNAPSHOT=true[https://deref-
> gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> SNAPSHOT%26update%3Dtrue]
>     3534/82321 KB
>     Uploading: http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-
> 1.0.0-SNAPSHOT=true[https://deref-
> gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> SNAPSHOT%26update%3Dtrue]
>     3504/82321 KB
>     Uploading: http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-
> 1.0.0-SNAPSHOT=true[https://deref-
> gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> SNAPSHOT%26update%3Dtrue]
>     3684/82321 KB
>     Uploading: http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-
> 1.0.0-SNAPSHOT=true[https://deref-
> gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> SNAPSHOT%26update%3Dtrue]
>     3474/82321 KB
> 
> The redeployment failed. I checked the free space and there are about 4
> gigabyte free on the device.
> 
> I already checked the upload-size in manager/WEB-INF/web.xml I already
> checked the ip-disclosure in manager/META-INF/context.xml I already checked
> the connectionTimeout in the http and https connector.
> I already checked the username and password.
> I already checked the roles.
> 
> It have worked successfully until a few days. I changed nothing.
> 
> Any ideas? (I do not like to update to a new tomcat-version)
> 
> Kind regards
>  Peter Rader
> --

Could you check the tomcat logs?
Under normal circumstances there should be some information to track down the 
issue.
Check all the log files according to the timestamp and post snippets, if you 
find something related.

Greetings,
Thomas

AW: ServletFileUpload not available in Tomcat 10.1

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Chris,

thank you for the quick reply :)


> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Donnerstag, 20. April 2023 17:31
> An: users@tomcat.apache.org
> Betreff: Re: ServletFileUpload not available in Tomcat 10.1
> 
> Thomas,
> 
> On 4/20/23 10:26, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > we are upgrading from Tomcat 10 to Tomcat 10.1
> >
> > We are currently using
> > ServletFileUpload.isMultipartContent(request)
> > (from
> > org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload)
> >
> > It seems that the whole Servlet was removed in Tomcat 10.1
> > https://github.com/apache/tomcat/tree/main/java/org/apache/tomcat/util
> > /http/fileupload/servlet
> >
> > I couldn't find any hints in the Tomcat 10.1 changelog.
> > Is there a replacement for this servlet or any background information why it
> was removed?
> 
> The org.apache.tomcat.util.http.fileupload package is intended to be used
> internally by Tomcat only. Tomcat does not use the ServletFileUpload class and
> so it was removed from the private, internal copy.
> 
> Tomcat uses a package-renamed (aka shaded) distribution of commons-
> fileupload to provide the multipart facilities required by the Servlet
> specification. The package is shaded to avoid conflicts with applications that
> may have the same library bundled with them for whatever reason. It is not
> intended to be used directly by any application code.
> 
> If you want to use commons-fileupload, you should supply the commons-
> fileupload JAR file and use the public package which is
> org.apache.commons.fileupload.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

ServletFileUpload not available in Tomcat 10.1

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

we are upgrading from Tomcat 10 to Tomcat 10.1

We are currently using
ServletFileUpload.isMultipartContent(request)
(from org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload)

It seems that the whole Servlet was removed in Tomcat 10.1
https://github.com/apache/tomcat/tree/main/java/org/apache/tomcat/util/http/fileupload/servlet

I couldn't find any hints in the Tomcat 10.1 changelog.
Is there a replacement for this servlet or any background information why it 
was removed?

Thanks!
Thomas

AW: Getting started with Websocket

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Chris,

> -Ursprüngliche Nachricht-
> Von: Christopher Schultz 
> Gesendet: Mittwoch, 12. April 2023 20:31
> An: Tomcat Users List 
> Betreff: Getting started with Websocket
> 
> All,
> 
> I'm finally dipping my toes into Websocket-based communication with my
> Tomcat-based applications. Is it possible to do everything with "real"
> code and not any annotations?
> 
> I was looking for something like the Servlet Async model where you take an
> existing request and put it into async mode:
> 
>  final AsyncContext ac = request.startAsync(request, response);
> 
>  ac.start(new Runnable() {
> 
>  @Override
>  public void run() {
>  // Do some stuff
> 
>  // Write the response
>  ac.complete();
>  }
>  });
> 
> All the tutorials I see use annotations to set up the Websocket endpoint, etc.
> 
> Is it possible and/or recommended to use pure-code registration of such
> endpoints and/or post-HTTP-request upgrade?
> 
> I'm wanting to do things like verify that the request belongs to an 
> authenticated
> user with certain privileges, etc. and only then allow that user to connect 
> using
> Websocket to trade data across the wire.
> 
> How can I relate a Websocket session to an authenticated user? Can I
> communicate back and forth between the Websocket world and the HTTP-
> based world like websocket.session <-> HttpSession?
> 
> If I want to send a fire-and-forget message to the client from the server, 
> can I
> just:
> 
> session.getAsyncRemote().sendText("hello world");
> 
> and ignore the Future object returned, or will I need to verify that 
> message
> was sent before attempting to send another one?
> 
> Thanks,
> -chris
> 
I used the simple example below.
You need to add a kind of hashmap per user for example. Its just a POC.

public class SseServlet extends HttpServlet
{

private static final long serialVersionUID = 1L;

@Override
public void destroy()
{
//
}

@Override
public void service(final HttpServletRequest req, final HttpServletResponse 
res) throws ServletException, IOException
{
// https://web.dev/eventsource-basics/
// https://www.howopensource.com/2016/01/java-sse-chat-example/
if ("text/event-stream".equals(req.getHeader("Accept")))
{
AsyncContext actx = req.startAsync();
actx.setTimeout(0);

System.out.println("new connection");

res.setContentType("text/event-stream");
res.setHeader("Cache-Control", "no-cache");
res.setHeader("Connection", "keep-alive");
res.setCharacterEncoding("UTF-8");

Thread t = new Thread(new SseSender(actx, new Random().nextInt()));
t.start();
//save actx and use it when we need sent data to the client.
}
}



class SseSender implements Runnable
{
private AsyncContext ctx;
private int iRnd;
private boolean bRunning = true;

public SseSender(final AsyncContext p, final int i)
{
this.ctx = p;
this.iRnd = i;

// final String id = UUID.randomUUID().toString();

ctx.addListener(new AsyncListener()
{
@Override
public void onComplete(final AsyncEvent event) throws 
IOException {
System.out.println(iRnd + " completed");
bRunning = false;
// stop thread or remove ctx from list
}
@Override
public void onError(final AsyncEvent event) throws IOException {
System.out.println(iRnd + " error");
bRunning = false;
// stop thread or remove ctx from list
}
@Override
public void onStartAsync(final AsyncEvent event) throws 
IOException {
// Do nothing
}
@Override
public void onTimeout(final AsyncEvent event) throws 
IOException {
bRunning = false;
System.out.println(iRnd + " timed out");
// stop thread or remove ctx from list
}
});
}

@Override
public void run()
{

while (bRunning)
{
try
{
Thread.sleep(1000);
}
catch (InterruptedException e)
{
e.printStackTrace();
}

if (bRunning)
{
try
{
sendMessage(ctx.getResponse().getWriter(), 123, "test " 
+ Integer.toString(iRnd));
}
catch (Exception e)
{
bRunning 

AW: just wondering.. encryption in context.xml?

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 8. April 2023 19:40
> An: users@tomcat.apache.org
> Betreff: just wondering.. encryption in context.xml?
> 
> is there currently a method for encrypting or otherwise obfuscating passwords
> (like for MySQL) in the context.mxl
> 
> 
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> 

You might use environment variables or java system properties.
If someone has access to your context.xml, then your server is compromised 
anyway.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Need to know about analyzing of thread dump and heap dump

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Naha, Koustav 
> Gesendet: Montag, 3. April 2023 21:58
> An: users@tomcat.apache.org
> Betreff: Need to know about analyzing of thread dump and heap dump
> 
> Hi all,
> 
> Good day.
> 
> Can someone suggest me some good tools to analyze heap dump and thread
> dumps which we can use in real time production environment.
> Also, GUI based tools will be a good one to use.
> 
> Please pour in your 2 cents.
> 
> Thanks and Regards,
> Koustav Naha
> 
> 

I often use Eclipse Memory Analyzer for heap dumps and Samurai for thread dumps 
(https://samuraism.jp/samurai/en/index.html)

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: SSL issue

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Kevin,

That's why I also suggest to use PEM format.
You don’t have to deal with two passwords and the files can be open in a normal 
editor.
Copy & paste also works easily in PEM format.

Glad it works now.
Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 18. März 2023 20:30
> An: Tomcat Users List 
> Betreff: Re: SSL issue
> 
> I was able to read the keystore with both openssl and keytool, but for some
> reason the private key within the pkcs#12 file had a different password than 
> the
> keystone password. I ended up just rebuilding the cert and the keystore, and 
> it's
> working now. Thanks !
> 
> 
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> 
> 
> -BEGIN GEEK CODE BLOCK-
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
> G++ e(+) h--- r+++ y+++*
> --END GEEK CODE BLOCK--
> 
> 
> On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
> 
> > Hello,
> >
> > the relevant error is:
> > Caused by: javax.crypto.BadPaddingException: Given final block not
> > properly padded. Such issues can arise if a bad key is used during
> > decryption.
> >
> > It seems there is something wrong with your keystore.
> > Are both, private and public key in the p12 file?
> > Can you check the contents with keytool?
> > Alternatively, you can also use pem files, they are more readable than p12.
> >
> > Greetings, Thomas
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Kevin Huntly 
> > > Gesendet: Samstag, 18. März 2023 19:15
> > > An: users@tomcat.apache.org
> > > Betreff: SSL issue
> > >
> > > Hello Everyone,
> > >
> > > I'm having an issue with my SSL connector:
> > >
> > > 
> > > 18-Mar-2023 14:12:46.996 SEVERE [main]
> > > org.apache.catalina.util.LifecycleBase.handleSubClassException
> > > Failed to initialize component
> > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> > > 8443]]
> > > org.apache.catalina.LifecycleException: Protocol handler
> > initialization
> > > failed
> > > at
> > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> > java:549
> > > )
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> > va:1032)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > > at
> > >
> > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Direc
> > tMeth
> > > odHandleAccessor.java:104)
> > > at
> > > java.base/java.lang.reflect.Method.invoke(Method.java:578)
> > > at
> > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > > at
> > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > > Caused by: java.lang.IllegalArgumentException: Get Key failed:
> > > Given final block not properly padded. Such issues can arise if a
> > > bad
> > key is used
> > > during decryption.
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > > Endpoint.java:107)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> > > nt.java:71)
> > > at
> > > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> > > t.java:1302)
> > >

AW: SSL issue

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

the relevant error is:
Caused by: javax.crypto.BadPaddingException: Given final block not properly 
padded. Such issues can arise if a bad key is used during decryption.

It seems there is something wrong with your keystore.
Are both, private and public key in the p12 file?
Can you check the contents with keytool?
Alternatively, you can also use pem files, they are more readable than p12.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 18. März 2023 19:15
> An: users@tomcat.apache.org
> Betreff: SSL issue
> 
> Hello Everyone,
> 
> I'm having an issue with my SSL connector:
> 
> 
> 18-Mar-2023 14:12:46.996 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> 8443]]
> org.apache.catalina.LifecycleException: Protocol handler 
> initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
> )
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
> odHandleAccessor.java:104)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:578)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is 
> used
> during decryption.
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:107)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> nt.java:71)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> t.java:1302)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> ava:75)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is 
> used
> during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> ava:454)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
> .java:91)
> at
> java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:105)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.jav
> a:941)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:3
> 10)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS1
> 2KeyStore.java:370)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeySt
> ore.java:257)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> ava:361)
> ... 23 more
> 
> 
> And my SSL 

AW: Unable to start application

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 18. März 2023 11:10
> An: Tomcat Users List 
> Betreff: Re: Unable to start application
> 
> Here are the logs -
> https://drive.google.com/file/d/1jBsNaW_bQJ4KcDSvucJ5QWo642He6bgb/view
> ?usp=sharing
> 
> The JDBC driver is located under /opt/mysql/, and I added that path to
> catalina.properties under the common loader. I did try to move it into
> ${catalina.home}/lib, this did not change anything.
> 
 

This message looks strange:
18-Mar-2023 06:06:13.305 WARNING [main] 
org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with JAR 
file 
[/opt/Apache/Tomcat/apache-tomcat-9.0.73/lib/mysql-connector-j-8.0.32.jar], 
exists: [true], canRead: [false]

It seems that it cant load the jdbc driver from that path.
Could you download the jar again from the mysql website and replace it?
Can you open/unpack the jar without errors?

Greetings, Thomas



> 
> -BEGIN GEEK CODE BLOCK-
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
> G++ e(+) h--- r+++ y+++*
> --END GEEK CODE BLOCK--
> 
> 
> On Sat, Mar 18, 2023 at 3:16 AM Mark Thomas  wrote:
> 
> > On 17/03/2023 23:18, John Dale (DB2DOM) wrote:
> > > ok - "mnet" should be "ment"
> >
> >  From the logs excerpt I saw earlier in the thread, that needs fixing
> > (although it was only a test element). I don't think it will break
> > anything else but better to remove the noise from the logs.
> >
> > > I figured I'd spell that out and behave like a compiler.  :)
> > >
> > > I would also move that configuration into server.xml (it's a major
> > > difference between your configuration and mine).
> >
> > That configuration style is NOT recommended. It means you have no
> > choice but to restart Tomcat if you change the Context configuration.
> > If it is in a separate Context file, Tomcat will reload the web
> > application automatically if you change the Context file.
> >
> > Stick with:
> >
> > /opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolut
> > ions.xml
> >
> > Do NOT specify a path attribute for the Context. It will be ignored.
> >
> > Where is the JDBC driver located? It needs to be in
> > ${CATALINA_BASE}/lib and not part of the WAR.
> >
> > Can we see the full logs from a clean start-up please?
> >
> > Mark
> >
> >
> > >
> > > Lastly, maybe to help debug a future issue, did you compile your
> > > project files against the tomcat libs included with your
> > > distribution, or did you drop them into this version of tomcat from 
> > > another
> version?
> > >   Probably won't matter since you should be coded to the interfaces,
> > > but one never knows.
> > >
> > > John
> > >
> > > On 3/17/23, Kevin Huntly  wrote:
> > >> no I think it has something to do with it but I'm not sure. I'll
> > >> try
> > taking
> > >> out the environment values and see what happens
> > >>
> > >> On Fri, Mar 17, 2023, 19:11 John Dale (DB2DOM) 
> > wrote:
> > >>
> > >>> In the log you sent below, I see a typo:
> > >>> Context/Environmnet
> > >>>
> > >>> Does that have something to do with it, or is this a typo in
> > >>> tomcat logging?
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On 3/17/23, Kevin Huntly  wrote:
> >  yes, under Catalina/localhost
> > 
> >  On Fri, Mar 17, 2023, 19:07 John Dale (DB2DOM)
> >  
> > >>> wrote:
> > 
> > > Are you modifying a context.xml file in the conf folder?
> > >
> > > On 3/17/23, Kevin Huntly  wrote:
> > >> Also of note:
> > >>
> > >> 17-Mar-2023 17:25:42.113 INFO [main]
> > >> org.apache.catalina.startup.HostConfig.deployDescriptor
> > >> Deploying deployment descriptor
> > >>
> > >
> > >>>
> > [/opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolu
> > tions.xml]
> > >> 17-Mar-2023 17:25:42.174 WARNING [main]
> > >> org.apache.tomcat.util.digester.Digester.endElement No rules
> > >> found
> > > matching
> > >> [Context/Environmnet]
> > >> 
> > >>
> > >> Kevin Huntly
> > >> Email: kmhun...@gmail.com
> > >> Cell: 716/424-3311
> > >> 
> > >>
> > >> -BEGIN GEEK CODE BLOCK-
> > >> Version: 1.0
> > >> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > >> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > >> PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
> > >> G++ e(+) h--- r+++ y+++*
> > >> --END GEEK CODE BLOCK--
> > >>
> > >>
> > >> On Fri, Mar 17, 2023 at 5:24 PM Kevin Huntly
> > >> 
> > >> wrote:
> > >>
> > >>> Here's my santized server.xml and context.xml
> > >>>
> > >>> server.xml -> https://pastebin.com/Bj6Wh0qU context.xml ->
> > >>> https://pastebin.com/Z3dBf3eK
> > >>>
> > >>
> > 

Systemd file and umask for tomcat

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
today I was struggling with the umask on ubuntu and tomcat.

The normal way to do it in systemd is:

[Service]
UMask=0022

Unfortunately, this didn’t work and it took me a while to figure out, that 
Catalina.sh
is overwriting the umask with 0027 if no env-variable was set.
So for tomcat, I needed to set:
Environment='UMASK=0022'

Is there any reason, why tomcat has some unexpected logic which overrides the 
systemd settings?

Thanks! Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Did something JSP related change between 9.0.71 and 9.0.73

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Thomas Meyer 
> Gesendet: Freitag, 17. März 2023 09:57
> An: users@tomcat.apache.org
> Betreff: Did something JSP related change between 9.0.71 and 9.0.73
> 
> Hi,
> 
> One of our jsp pages did start to render incorrectly in 9.0.73.
> The same page does render correctly in 9.0.71.
> We never did use 9.0.72.
> 
> Any ideas?

Can you provide a JSP snippet and how it rendered before and afterwards?

Thanks! Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: How do I see the POST payload sent from Tomcat

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Aditya Kumar <0akum...@gmail.com>
> Gesendet: Donnerstag, 16. März 2023 20:29
> An: Tomcat Users List 
> Betreff: How do I see the POST payload sent from Tomcat
> 
> I have a Java application running under Tomcat 9. One component of this
> application is OpenID authentication, in which my application is a relying 
> party.
> 
> It sends a POST request to https://login.microsoftonline.com, but  in one
> scenario I'm getting an error back from Microsoft.
> 
> I need to see exactly what was sent in the POST request including the POST
> payload data. Is there a way of doing this? I tried the requestdumper filter 
> but I
> don't see anything useful.

You could use javax.net.debug as explained here: 
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
  
Another option would be a reverse proxy between but it takes a bit of work.

Greetings, Thomas

AW: connecting tomcat server to eclipse java ee

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

as an alternative, you can also create a normal java debug configuration with 
the main class
org.apache.catalina.startup.Bootstrap

Add all the service parameters to the tab Arguments --> VM-arguments.
As a program argument I use 
-config "\server.xml" start

Add the needed Tomcat jars to the dependencies.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: JIM HENK 
> Gesendet: Freitag, 10. März 2023 07:58
> An: Tomcat Users List 
> Betreff: Re: connecting tomcat server to eclipse java ee
> 
> Well….
> 
> When you see that message, Eclipse has gone through it’s table of Tomcat
> version possibilities known at the time your version of Eclipse was published,
> and hasn't found it.  Must’ve come *after*.
> 
> Therefore, The version of Eclipse you need to use has got to have been 
> released
> *after* the version of Tomcat that you’ve got installed.  That way, it will 
> have
> that version of Tomcat in it’s table of known Tomcat versions it can choose
> from.
> 
> Folks, do you concur, or am I wrong here?
> 
>- Jim Henk
> 
> > On Mar 9, 2023, at 6:36 PM, Stephanie Panah
>  wrote:
> >
> > Help please. I have installed: Java EE, Eclipse and Tomcat.
> > When I try to connect the server, I encounter:
> > Unknown version of Tomcat was specified.
> > I am looking all over. please help
> >
> > Java EE for web developers
> > C:\Users\steph> java -fullversion
> > java full version "17.0.6+9-LTS-190"
> >
> > and
> > Eclipse IDE for Enterprise Java and Web Developers
> > Version: 2022-12 (4.26.0)
> > Build id: 20221201-1913
> >
> > and
> > http://localhost:8080/
> > Apache Tomcat/10.1.7
> > If you're seeing this, you've successfully installed Tomcat.
> > Congratulations!
> > C:\Program Files\Apache Software Foundation\Tomcat 10.1 and Tomcat is
> > running in Services
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

AW: --add-opens gives me unknown module

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

it seems you are using an outdated library which is not compatible to java 17.
Are there any other libraries except spring boot which might use the proxy 
class?
Best is to search for a newer version and upgrade the corresponding library.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Neil Aggarwal 
> Gesendet: Freitag, 10. März 2023 05:23
> An: users@tomcat.apache.org
> Betreff: --add-opens gives me unknown module
> 
> Hey everyone:
> 
> 
> 
> I am trying to deploy a Spring Boot 3.0.4 application to a Tomcat 10.1.7
> 
> server.  The machine has java 17 installed.
> 
> 
> 
> When I try to loan tomcat, it gives me this error:
> 
> java.lang.reflect.InaccessibleObjectException: Unable to make field private
> static final java.lang.reflect.Method jdk.proxy3.$Proxy74.m0 accessible:
> module jdk.proxy3 does not "opens jdk.proxy3" to unnamed module
> @14022c95
> 
> 
> 
> It seems strange to me the module can’t pen itself.  But, I added these lines 
> in
> setenv.sh to try to work around it:
> 
> JAVA_OPTS="$JAVA_OPTS --add-opens jdk.proxy3/jdk.proxy3=ALL-UNNAMED"
> 
> export JAVA_OPTS
> 
> 
> 
> But, now, when I run tomcat, I get this:
> 
> WARNING: Unknown module: jdk.proxy3 specified to --add-opens
> 
> 
> 
> And I still get the exception.
> 
> 
> 
> Any ideas what I need to do here?
> 
> 
> 
> Thank you,
> 
>   Neil
> 
> 
> 
> --
> 
> Neil Aggarwal, (972) 834-1565, http://www.propfinancing.com
> 
> We offer 30 year loans on single family houses!

AW: HTTP Error 414. The request URL is too long.

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Seth Mayers 
> Gesendet: Freitag, 10. März 2023 01:14
> An: Tomcat Users List 
> Betreff: Re: HTTP Error 414. The request URL is too long.
> 
> Thanks.  Sadly I know how the data is being pushed.  It is poorly architected.
> Developers are working to re-write it but I am looking for a short term 
> solution
> until they can complete that project.  I found where windows is logging the
> error.  I am just not sure which process writes to this log or how to tell it 
> to
> ignore the error.  I thought I had it with a registry entry but it didn't fix 
> the
> problem.
> 
> C:\Windows\System32\LogFiles\HTTPERR

This looks like a windows system running IIS.
IIS also has some max-settings for requests.
Maybe you can check the IIS advanced settings for this site.


> 
> 2023-03-09 23:55:40 192.168.103.30 56355 192.168.0.27 80 - GET - - 414 -
> URL_Length -
> 
> On Thu, Mar 9, 2023 at 7:06 PM Terence M. Bandoian 
> wrote:
> 
> > On 3/9/2023 5:47 PM, Jason Tan wrote:
> > > Hi Seth,
> > > One of my customer had the same error. We also tried increasing
> > maxHttpHeaderSize as suggested on Google.  It worked for him for a
> > while, but he encountered the same error again later on.
> > > Our developers got involved and later discovered that our app was
> > > trying
> > to display all his favourites and the customer somehow managed to
> > accumulate a huge list of favourites. So, a hotfix was created to
> > limit the size of the favourites that get displayed on to the browser.
> > > I hope that helps you sort it out with the application to find what
> > > huge
> > data is being push onto the url and limit it.
> > > -Original Message-
> > > From: Mark Thomas 
> > > Sent: Friday, March 10, 2023 9:34 AM
> > > To: users@tomcat.apache.org
> > > Subject: Re: HTTP Error 414. The request URL is too long.
> > >
> > > On 09/03/2023 20:59, Seth Mayers wrote:
> > >> I am running Apache Tomcat Version 9.0.48.
> > >>
> > >> If I post a transaction that is very large, I get the "414; The
> > >> request URL is too long".
> > >>
> > >> I have tried adding a bunch of parameters to my server.xml file but
> > >> none of them seem to work.  I have tried:
> > >> maxHttpHeaderSize="262144"
> > >> maxSavePostSize="-1"
> > >> maxPostSize="-1"
> > >> maxHttpRequestHeaderSize="262144"
> > >>
> > >> I have someone that was able to resolve the same issue running
> > >> Tomcat
> > >> 8.5 but his solution (maxhttpheadersize) did not work for me.  Did
> > >> something change between 8.5 and 9.0.48 that might affect things?
> > >> Is something involved beyond just server.xml?
> > > Tomcat 9.0.x never returns a 414 status code. Wherever that status
> > > code
> > is originating, it isn't Tomcat. It must be in the application or in a
> > component before Tomcat.
> > >
> > > Mark
> > >
> > >
> > >>
> > >> SAMPLE POST (the one that fails is FAR larger than this)
> > >>
> > >>
> http://servername/gatewayAdminTest/GatewayClient?OutputType=1
> > >> Typ
> > >> e=1= > >> name="CreateOrder">
> > >> 
> > >> 
> > >>
> > >>   LSF
> > >>   01092390
> > >>   02
> > >>   
> > >>   test_promo_freeProduct
> > >>   DROP
> > >>   
> > >>   
> > >>   01092391
> > >>   WEB001232
> > >>   O
> > >>
> > >>
> > >>   
> > >>  39012621
> > >>  1.0
> > >>  BAG
> > >>   
> > >>
> > >> 
> > >>  
> > >> 
> > >> =xxx
> > >> --
> > >>
> >
> > Are you sure that's POST request? I'd suggest looking at the Tomcat
> > access log if you can get a request that far.
> >
> > -Terence Bandoian
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 
> --
> 
> 
> [image: photograph]
> 
> *Seth Mayers* Chief Technology Officer
> *p:*
> *e:* seth.may...@petfoodexperts.com
> www.petfoodexperts.com
> [image: facebook icon]   [image:
> instagram icon]   [image:
> linkedin icon]   [image:
> twitter icon]   [image: youtube icon]
> 

AW: sslHostConfig and ciphers

[Thomas Hoffmann (Speed4Trade GmbH)]

concurrent.FutureTask.run(FutureTask.java:266)
>   at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorSer
> vice.java:75)
>   at
> java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.ja
> va:134)
>   at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:916)
>   at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:265
> )
>   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>   at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:43
> 0)
>   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>   at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930
> )
>   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>   at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI
> mpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
>   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)}
> 
> )
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you 
> must
> not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> 
> > -Original Message-
> > From: Mark Thomas 
> > Sent: Wednesday, March 8, 2023 2:38 AM
> > To: users@tomcat.apache.org
> > Subject: Re: sslHostConfig and ciphers
> >
> >
> >
> > On 08/03/2023 07:45, l...@kreuser.name wrote:
> > > Beware Jon,
> > >
> > >> Am 08.03.2023 um 07:56 schrieb
> > >> jonmcalexan...@wellsfargo.com.invalid
> > :
> > >>
> > >> Fwiw, this is happening in an outbound connection originated by a
> > springboot app hosted in Tomcat. Any known issues with this and
> > handshake issues?
> >
> > What is happening? I have re-read the thread several times and can't
> > find a description of what isn't working.
> >
> > >>
> > >
> > > Then the tomcat sslHostConfig does not matter at all, only the one
> > > on the
> > java options (or security config) "jdk.tls.client.cipherSuites".
> >
> > That is likely the one to allok at although be aware limiting the TLS
> > protocol versions will also limit the available cipher suites.
> >
> > Mark
> >
> >
> > >
> > >
> > > Peter
> > >
> > >
> > >>
> > >> Thanks,
> > >>
> > >>
> > >> Sent with BlackBerry Work
> > >>
> > (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa
> > V
> > >>
> > PGSwU!rn8hAxbKChAQcZcGDky44IXsMGn4HVUmz1P2A_cfDFIjcAP9gMzHo
> > MlwWIKKGs-
> > >> i14GtS4JBpprpqxOcRTbK9A$ ) 
> > >> From: jonmcalexan...@wellsfargo.com.INVALID
> > >> Sent: Mar 4, 2023 3:08 AM
> > >> To: users@tomcat.apache.org
> > >> Subject: RE: sslHostConfig and ciphers
> > >>
> > >> Thank you!!!
> > >>
> > >>
> > >> Thanks,
> > >>
> > >>
> > >> Sent with BlackBerry Work
> > >>
> > (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa
> > V
> > >> PGSwU!sOH_wTKBGJ6Btc-
> > RekE10jWwQ85jkQkEltIWa0AaoIbooX5UMGSH88GoLuiVcjY
> > >> RxEg9wZBM3INUA8zBXKbc56z70yYUpimTy-zbVbi6bbQ$ )
> > >> 
> > >> From: "Thomas Hoffmann (Speed4Trade GmbH)"
> > >> 
> > >> Sent: Mar 4, 2023 1:

AW: sslHostConfig and ciphers

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

this message originates from your used java. It's not from tomcat.
Java doesn't know this cipher-suite or is disabled in java.security

You can list the supported ciphers via some code lines like 
https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms
  

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: jonmcalexan...@wellsfargo.com.INVALID
> 
> Gesendet: Freitag, 3. März 2023 18:38
> An: users@tomcat.apache.org
> Betreff: sslHostConfig and ciphers
> 
> Ok, I don't know if I'm doing something wrong, or if I'm just not reading the
> output correctly.
> 
> I have JSSE connector using sslHostConfig and in there I have defined ciphers,
> as below:
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> maxHttpHeaderSize="16384"
> compression="on"
> scheme="https"
> SSLEnabled="true"
> secure="true"
> defaultSSLHostConfigName="test.test">
>  hostName="test.test"
> protocols="TLSv1.2"
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH
> _AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_C
> CM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_
> CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_G
> CM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_1
> 28_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM
> _8,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_
> CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
>  certificateKeystoreFile=""
> certificateKeystorePassword ="${keystore.pass}"
> certificateKeyPassword="${keystore.pass}"
> certificateKeyAlias=""
> />
> 
> 
> 
> However, if I enable ssl debugging, I am getting the following messages in my
> catalina.out file.
> 
> 03-Mar-2023 16:43:22.120 INFO [main] org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-9443"]
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.146
> UTC|SSLContextImpl.java:425|System property jdk.tls.client.cipherSuites is set
> to 'null'
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.150
> UTC|SSLContextImpl.java:425|System property jdk.tls.server.cipherSuites is set
> to 'null'
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.161
> UTC|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding
> KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.201
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.201
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.202
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.202
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.202
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.202
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.203
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.212
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.212
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.213
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.213
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.213
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.213
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.214
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.221
> UTC|SSLContextImpl.java:399|Ignore disabled cipher suite:
> TLS_DH_anon_WITH_AES_256_GCM_SHA384
> javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.221
> UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite:
> 

AW: Unpackwar

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

maybe this page gives a good overview:
https://tomcat.apache.org/tomcat-9.0-doc/config/automatic-deployment.html

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Devatha Naga Puneeth 
> Gesendet: Donnerstag, 2. März 2023 15:20
> An: users@tomcat.apache.org
> Betreff: Unpackwar
> 
> Hi,
> 
> I checked the documentation and only understood that if unpackwar enabled
> then contents of the application will be extracted in the appBase.
> 
> What is the use of UnpackWar to false ? When to prefer true and false ?

AW: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello James, 

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Montag, 6. Februar 2023 18:18
> An: Tomcat Users List 
> Betreff: Re: AW: Having trouble with Tomcat crashes. Interesting memory
> numbers in Manager
> 
> Thanks, Herr Hoffmann. Your questions were most helpful in determining
> what information to gather and share. And thanks in advance to anybody
> else who has any insights.
> 
> First, I will note that the seemingly non-sequitur nursery-survivor numbers
> aren't just what we see during a crash; they're what we see when it's running
> normally.
> 
> On 2/4/23 6:13 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Could you describe "crash" in a bit more detail?
> 
> Typically, the signed-on users start to get degraded response times, before it
> becomes completely unresponsive.
> 
> > - does the tomcat / java process run but is unresponsive?
> 
> Yes. Exactly. And shutting it down (and therefore freeing up the port for a
> restart) takes a fairly sizeable amount of time, and leaves a core dump of
> approximately 6G size, a Javacore dump of approximately 4M size, and a JIT
> dump of approximately 20M size.
> 
> > - does the java process crash itself (then there should be a logfile 
> > written)?
> The job does not generally terminate itself, or even respond to a shutdown
> request; it has to be forcibly terminated (given that it's running on an 
> AS/400,
> this would typically be either from WRKACTJOB, or from an ENDJOB
> command, or from their GUI console equivalents).
> 
> This may be relevant: even when it is not in this state, the Tomcat server,
> when being shut down, tends not to respond readily to shutdown requests.
> 
> > - Is there any OOM message in the logfiles?
> Not out-of-memory, but there are chronic problems with contacting outside
> web services (many of them involving Oauth2), and with BIRT reporting.
> 
> Around the time of the shutdown, I typically see stuff like:
> Unhandled exception
> Type=Segmentation error vmState=0x
> J9Generic_Signal_Number=0004 Signal_Number=000b
> Error_Value= Signal_Code=0032
> 
> I am not sure whether this is going into catalina.out before or after the job 
> is
> forcibly terminated.
> 
> > - Is the process still alive but CPU at 100% ?
> Yes.
> 
> We just had a near-miss as I was typing this: CPU pushing up into the high
> 80s, and the JVM job for Tomcat eating up most of it, but it backed down to
> something more normal without my having to intervene, and without any
> sign of anybody else intervening.
> 
> One of my colleagues managed to get into manager during the near-miss,
> and took a screen-shot. The "nursery-allocate" Used was at 400.97M (34%),
> "nursery-survivor" as I described last week, "tenured-LOA" Used was at zero
> used, and "tenured-SOA" was showing Initial 2918.40M, Total 3648.00M,
> Maximum 4864.00M, and Used 1997.72M (41%).
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

The observations looks like java is running out of memory and the garbage 
collector can't keep up with making memory free again.
Either the GC uses 100% or the application has some cpu intensive procedures. I 
would guess, that it’s the GC.
One option would be to open a JMX port on tomcat and use VisualVM to connect to 
the java process and inspect the memory and GC usage.
When the CPU is eating 100% CPU you might also consider generating a thread 
dump (kill -3) and check if there are any suspicious threads running.

Also setting the java options HeapDumpOnOutOfMemoryError and HeapDumpPath might 
help, if the process stops because of OOM.
If the GC can always free some bytes again, which the application is instantly 
eating again, an OOM might not occur.

You can also add parameters to log some GC statistics, but I never used that : 
https://sematext.com/blog/java-garbage-collection-logs/  

Greetings,
Thomas

AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello James,

> Von: James H. H. Lampert 
> Gesendet: Samstag, 4. Februar 2023 01:39
> An: Tomcat Users List 
> Betreff: Having trouble with Tomcat crashes. Interesting memory numbers in
> Manager
> 
> One of our customers, one who basically pushes our Tomcat webapp to the
> limit, is having trouble with crashes.
> 
> Some interesting numbers are showing up in Server Status, in Manager:
> 
> nursery-allocate has initial 512M, total 1152M, maximum 1152M, used
> 587.05M.
> 
> nursery-survivor has initial 512M, total 128M, maximum 128M, used 128M
> (how exactly can initial exceed maximum?!?)
> 
> Everything else looks quite low.
> 
> They're on 8.5.73, running under Java 8.0.5.5, on an AS/400.
> 
> Does anybody here have any ideas? Can anybody here explain the odd
> numbers for nursery-survivor?
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Could you describe "crash" in a bit more detail?
- does the tomcat / java process run but is unresponsive?
- does the java process crash itself (then there should be a logfile written)?
- Is there any OOM message in the logfiles?
- Is the process still alive but CPU at 100% ?

This information would help to narrow down the issue.

Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: [External] : Re: Tomcat as a Windows Service not picking JAVA_OPTS parameter

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

could you print out all system properties, e.g. within a debug.jsp?
Similar to:
https://mkyong.com/java/how-to-list-all-system-properties-key-and-value-in-java/

Maybe you can find your option somewhere else or is it completely missing?

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Rajagopalan Hariharan 
> Gesendet: Mittwoch, 1. Februar 2023 16:22
> An: Tomcat Users List 
> Betreff: RE: [External] : Re: Tomcat as a Windows Service not picking
> JAVA_OPTS parameter
> 
> Hi,
> 
> No it is not working even after setting the same.
> 
> Regards,
> Rajagopalan H
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 1, 2023 3:41 PM
> To: users@tomcat.apache.org
> Subject: [External] : Re: Tomcat as a Windows Service not picking JAVA_OPTS
> parameter
> 
> On 01/02/2023 02:37, Rajagopalan Hariharan wrote:
> > Hi,
> >
> > I have deployed ORDS 22.4 version in Tomcat 9 (which is installed as a
> Windows Service).
> >
> > For ORDS to work e have to set JAVA_OPTS parameter before starting
> Tomcat.
> >
> > This works perfectly fine when set in cmd and Tomcat started in cmd using
> startup.bat.
> >
> > But when you start as service, I have tried setting the parameter in ENV
> variables , right click services and include in Startup, Catalina.properties -
> nothing worked.
> 
> Using Tomcat9w.exe, navigate to the Java tab and add the necessary entries
> under Java Options. Each entry should be on a new line.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

AW: Tomcat client certicate authentication

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Dave,

> -Ursprüngliche Nachricht-
> Von: Dave Breeze 
> Gesendet: Mittwoch, 1. Februar 2023 12:17
> An: Tomcat Users List 
> Betreff: Re: Tomcat client certicate authentication
> 
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect by
> supplying a valid certificate.
> 
> I removed constraints from the web.xml as I did not want access to a servlet
> restricted to a role - I need the servlet to respond differently based on 
> role.
> what I have decided to do in the servlet is to retrieve the user-id from the
> certificate and determine their role by using a security product native to the
> platform on which Tomcat is running
> 
> Thanks for your help.
> 
> Dave Breeze
> Linkedin:https://uk.linkedin.com/in/dabreeze
> 

I think you need constraints in your web.xml. Otherwise Tomcat won't ask for 
authentication.
Something like:

 
 
 protected area
 /*
 

 
 my-role
 

 
 CONFIDENTIAL
 
 

 
 my-role
 

Otherwise the user is treated as an anonymous user without any identity.

Greetings, Thomas

> 
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > Dave,
> >
> > On 1/30/23 04:21, Dave Breeze wrote:
> > > Thanks  Chris
> > > the application is requesting certificate authentication - and this
> > > is working - it is just the mapping of users to roles that is not
> > > happening
> >
> > No, the server is requesting the certificate information; the
> > application is not. From your original posting:
> >
> >
> > On 1/28/23 09:28, Dave Breeze wrote:
> >  > There are no security constraints on the apps web.xml.
> >
> > With no security constraints, the application is not requesting
> > authentication. Tomcat therefore does not provide any "authentication
> > information" to the application. If the client sends a certificate
> > (which is happening at the request of the /server/), then Tomcat will
> > forward that certificate information to the application. But it will
> > not use it for any kind of authentication or authorization.
> >
> > > I implemented an org.apache.catalina.realm.X509UsernameRetriever
> and
> > > configured using X509UsernameRetrieverClassName but it was never
> > > called. In my servlet, however, I can retrieve the certificates.
> >
> > That's consistent with your configuration IMO.
> >
> > You will have to tell your application to use CLIENT-CERT
> > authentication if you want Tomcat to parse that cert chain for you,
> > populate the user principal, etc.
> >
> > -chris
> >
> > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > >  wrote:
> > >>
> > >> Dave,
> > >>
> > >> On 1/28/23 09:28, Dave Breeze wrote:
> > >>> this is Tomcat 9.0 running embedded
> > >>>
> > >>> I am trying to authorize access by client certificate. I want the
> > >>> servlet response to be tailored to the user's role. In other words
> > >>> I am not looking to deny access by role.
> > >>>
> > >>> The connector has sslCon.setProperty("clientAuth", "required");
> > >>> The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > >>> The config file contains
> > >>>
> > >>>  
> > >>>  > >>>debug="9"
> > >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> > >>> 
> > >>>
> > >>> users.xml contains
> > >>>
> > >>>  
> > >>> 
> > >>> 
> > >>>  > roles="cart-user"/>
> > >>>  > roles="cart-admin"/>
> > >>> 
> > >>>
> > >>>
> > >>> Certificates are imported into the browser and the browser prompts
> > >>> for cert selection.
> > >>>
> > >>> There are no security constraints on the apps web.xml.
> > >>>
> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > >>> This always fails. Also a req.getUserPrincipal() call always
> > >>> returns null. The request does not seem to be authenticated.
> > >>   >
> > >>> Further in the servlet a X509Certificate[] certs =
> > >>> (X509Certificate[])
> > >>> req.getAttribute("javax.servlet.request.X509Certificate")
> > >>> correctly returns both the certificate from the browser plus the
> > >>> Cert Auth. A
> > >>> getSubjectX500Principal().getName() call on the browser
> > >>> certificate returns the cn/o/ou setting that should match with
> users.xml.
> > >>>
> > >>> What am I missing here?
> > >>
> > >> If the application does not request authentication, Tomcat will not
> > >> perform if on behalf of the application. If you want a Principal
> > >> and to be able to check roles, etc. then you'll need to request
> > >> CLIENT-CERT authentication in web.xml (or the embedded equivalent).
> > >>
> > >> -chris
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: 

AW: systemctl start - fails

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

Please check syslog and all log files of tomcat for the root cause.
You will find the cause in one of these logfiles.

Greetings! Thomas

Von: Amn Ojee Uw 
Gesendet: Donnerstag, 26. Januar 2023 18:09:23
An: users@tomcat.apache.org
Betreff: systemctl start - fails

When I type 'sudo systemctl start tomcat' I get this error!

/*Job for tomcat.service failed because the control process exited with
error code.*/

Does anyone know what is causing this error?

Thanks

AW: Password in Tomcat 9.x

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alex,

I am not a tomcat developer but as there are several alternatives, I suppose 
that this is not a big benefit.
Most users just remove the password.. at least it's my experience.
I don't see benefits by putting a password on the key as long as the folder 
permissions are set properly.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: a.grub...@bluewin.ch 
> Gesendet: Donnerstag, 19. Januar 2023 19:31
> An: 'Tomcat Users List' 
> Betreff: AW: Password in Tomcat 9.x
> 
> Hoi Thomas
> 
> Thank you for your feedback.
> 
> Do you know if in future apache tomcat releases, this will be possible to put 
> a
> path? It would be the easiest for everyone, my opinion...
> 
> Thanks
> Alex
> 
> -----Ursprüngliche Nachricht-
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Gesendet: Mittwoch, 18. Januar 2023 22:03
> An: Tomcat Users List 
> Betreff: AW: Password in Tomcat 9.x
> 
> Hello Alex,
> 
> thanks for the clarification. Now I got the topic.
> 
> I don't think that you can use a path there.
> 
> The options I have in mind are:
> - Use properties:
> https://stackoverflow.com/questions/11926181/environment-system-variables-
> in
> -server-xml
> - Remove password or set it to the same password.
>   This won't decrease security in my opinion.
> 
> Greetings,
> Thomas
> 
> > -Ursprüngliche Nachricht-
> > Von: a.grub...@bluewin.ch 
> > Gesendet: Mittwoch, 18. Januar 2023 20:28
> > An: 'Tomcat Users List' 
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hoi Thomas
> >
> > Thanks for your feedback.
> >
> > I checked - here I can give you the following.
> >
> > I have a webserver certificate (p12) stored on the filesystem. It has
> > the p12.pwd also this location. Owner and group are well protected
> > from other technical users.
> >
> > Now, the config file, where the webserver cert is used is in the
> server.xml.
> >
> > Inside there:
> >
> > clientAuth="true" sslProtocol="TLS"
> > keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
> > keystorePass="PASSWORD"
> > truststore="TRUSTSTORE_CERTIFICATE.jks"
> > truststorePass="PASSWORD"
> > sslEnable="True"
> > protocol="org.apache.coyote.http11.Http11Prococol"
> >
> > Now I would like to remove the PASSWORD from the keystorePass and put
> > in there the path to the pwd of the webserver certificate. Same also
> > for the truststore.
> >
> > - Is that possible? If yes, how is that to be done?
> >
> > Thanks for your feedback.
> >
> > Regards
> > Alex
> >
> >
> >
> >
> >
> > -Ursprüngliche Nachricht-
> > Von: Thomas Hoffmann (Speed4Trade GmbH)
> > 
> > Gesendet: Mittwoch, 18. Januar 2023 07:12
> > An: Tomcat Users List 
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hello Alex,
> > I usually remove the password on the p12 file via openssl.
> > Protecting with password and writing the password in clear text
> > somewhere doesn't improve security much I think.
> > Dunno if this is a possible way to go for you.
> > Greetings,
> > Thomas
> > 
> > Von: a.grub...@bluewin.ch 
> > Gesendet: Dienstag, 17. Januar 2023 21:01:00
> > An: 'Tomcat Users List'
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hoi Thomas
> >
> > Received also from Mark an email where he requested an example of the
> > web.xml. Will provide you this tomorrow. Below is what I wrote him.
> >
> > Regards
> > Alex
> >
> > #
> > #
> > #
> > Hi Mark
> >
> > I will provide a config example tomorrow. Let you know the details.
> >
> > I have them on the other machine.
> >
> > In general it is like that - we have a webserver certificate (p12),
> > which we use to have the https protocol. The certificate comes
> > together with a p12.pwd file and this password of the certificate is
> stored in the web.xml.
> > I want now to remove this password by configuring just the path to
> > this
> file.
> >
> > In case someone renew the certificate, the restart of tomcat can be
> > done anytime as always the correct password is used.
> >
> > Regards
> > Alexander
> > #
> > #
> > #
> >
> > -Ursprüngliche Nachricht-
> > Von: Thomas Hoffmann (Speed4Trade GmbH)
> > 
> > Gesendet: Dienstag, 17. Januar 2023 19:19
> > An: Tomcat Users List 
> > Betreff: 

AW: Password in Tomcat 9.x

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alex,

thanks for the clarification. Now I got the topic.

I don't think that you can use a path there.

The options I have in mind are:
- Use properties: 
https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
 
- Remove password or set it to the same password.
  This won't decrease security in my opinion.

Greetings,
Thomas

> -Ursprüngliche Nachricht-
> Von: a.grub...@bluewin.ch 
> Gesendet: Mittwoch, 18. Januar 2023 20:28
> An: 'Tomcat Users List' 
> Betreff: AW: Password in Tomcat 9.x
> 
> Hoi Thomas
> 
> Thanks for your feedback.
> 
> I checked - here I can give you the following.
> 
> I have a webserver certificate (p12) stored on the filesystem. It has the 
> p12.pwd
> also this location. Owner and group are well protected from other technical
> users.
> 
> Now, the config file, where the webserver cert is used is in the server.xml.
> 
> Inside there:
> 
> clientAuth="true" sslProtocol="TLS"
> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
> keystorePass="PASSWORD"
> truststore="TRUSTSTORE_CERTIFICATE.jks"
> truststorePass="PASSWORD"
> sslEnable="True"
> protocol="org.apache.coyote.http11.Http11Prococol"
> 
> Now I would like to remove the PASSWORD from the keystorePass and put in
> there the path to the pwd of the webserver certificate. Same also for the
> truststore.
> 
> - Is that possible? If yes, how is that to be done?
> 
> Thanks for your feedback.
> 
> Regards
> Alex
> 
> 
> 
> 
> 
> -Ursprüngliche Nachricht-
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Gesendet: Mittwoch, 18. Januar 2023 07:12
> An: Tomcat Users List 
> Betreff: AW: Password in Tomcat 9.x
> 
> Hello Alex,
> I usually remove the password on the p12 file via openssl.
> Protecting with password and writing the password in clear text somewhere
> doesn't improve security much I think.
> Dunno if this is a possible way to go for you.
> Greetings,
> Thomas
> 
> Von: a.grub...@bluewin.ch 
> Gesendet: Dienstag, 17. Januar 2023 21:01:00
> An: 'Tomcat Users List'
> Betreff: AW: Password in Tomcat 9.x
> 
> Hoi Thomas
> 
> Received also from Mark an email where he requested an example of the
> web.xml. Will provide you this tomorrow. Below is what I wrote him.
> 
> Regards
> Alex
> 
> #
> #
> #
> Hi Mark
> 
> I will provide a config example tomorrow. Let you know the details.
> 
> I have them on the other machine.
> 
> In general it is like that - we have a webserver certificate (p12), which we 
> use
> to have the https protocol. The certificate comes together with a p12.pwd file
> and this password of the certificate is stored in the web.xml.
> I want now to remove this password by configuring just the path to this file.
> 
> In case someone renew the certificate, the restart of tomcat can be done
> anytime as always the correct password is used.
> 
> Regards
> Alexander
> #
> #
> #
> 
> -Ursprüngliche Nachricht-
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Gesendet: Dienstag, 17. Januar 2023 19:19
> An: Tomcat Users List 
> Betreff: AW: Password in Tomcat 9.x
> 
> Hello Alex,
> I am not sure what your goal is.
> Webserver certificate (with private key) is used for encryption / ssl / tls.
> Password is used for user authentication and in web.xml you only specify the
> auth method, not any passwords. Or do you plan auth with client certificates?
> 
> Greetings, Thomas
> 
> Von: a.grub...@bluewin.ch 
> Gesendet: Dienstag, 17. Januar 2023 18:34:15
> An: users@tomcat.apache.org
> Betreff: Password in Tomcat 9.x
> 
> Hello together
> 
> 
> 
> I would like to understand, when implementing passwords into web.xml, then I
> would like NOT to implement a password, I want to include the path to a
> certificate (p12.pwd). I want to basically avoid, changing all the time the
> password, when I renew my webserver certificate in the configuration.
> 
> 
> 
> Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x 
> can
> do this?
> 
> If no 9.x can do, which other Tomcat can do this?
> 
> 
> 
> Thank you
> 
> Alexander Grubner
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Password in Tomcat 9.x

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alex,
I usually remove the password on the p12 file via openssl.
Protecting with password and writing the password in clear text somewhere 
doesn't improve security much I think.
Dunno if this is a possible way to go for you.
Greetings,
Thomas

Von: a.grub...@bluewin.ch 
Gesendet: Dienstag, 17. Januar 2023 21:01:00
An: 'Tomcat Users List'
Betreff: AW: Password in Tomcat 9.x

Hoi Thomas

Received also from Mark an email where he requested an example of the
web.xml. Will provide you this tomorrow. Below is what I wrote him.

Regards
Alex

#
#
#
Hi Mark

I will provide a config example tomorrow. Let you know the details.

I have them on the other machine.

In general it is like that - we have a webserver certificate (p12), which we
use to have the https protocol. The certificate comes together with a
p12.pwd file and this password of the certificate is stored in the web.xml.
I want now to remove this password by configuring just the path to this
file.

In case someone renew the certificate, the restart of tomcat can be done
anytime as always the correct password is used.

Regards
Alexander
#
#
#

-Ursprüngliche Nachricht-
Von: Thomas Hoffmann (Speed4Trade GmbH)

Gesendet: Dienstag, 17. Januar 2023 19:19
An: Tomcat Users List 
Betreff: AW: Password in Tomcat 9.x

Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the
auth method, not any passwords. Or do you plan auth with client
certificates?

Greetings, Thomas

Von: a.grub...@bluewin.ch 
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x

Hello together



I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.



Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?

If no 9.x can do, which other Tomcat can do this?



Thank you

Alexander Grubner



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Password in Tomcat 9.x

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the 
auth method, not any passwords. Or do you plan auth with client certificates?

Greetings, Thomas

Von: a.grub...@bluewin.ch 
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x

Hello together



I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.



Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?

If no 9.x can do, which other Tomcat can do this?



Thank you

Alexander Grubner

AW: Query: HSTS | Tomcat 9.0.50

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

Which browser are you using?
Can you clear the hsts information in the browser after changing the port in 
your configuration?
I think browsers cache the hsts and port Informationen and don't switch to 
other ports with hsts.


Greetings, Thomas

Von: Deepti Sharma S 
Gesendet: Dienstag, 17. Januar 2023 05:00:35
An: Tomcat Users List
Betreff: RE: Query: HSTS | Tomcat 9.0.50

Hi Olaf,

 Let me explain more on my use-case :

1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :






When I configure HSTS in Tomcat/conf/web.xml and try to access website via 
HTTPS https://[domain]:8443, HSTS header is returned but ignored
as in when I change URL to http://[domain]:8080 URL is not changed to secured 
URL.



3. When I change conf/server.xml with below connector settings along with HSTS :







Try to access website via HTTPS https://[domain]:433 URL is changed to 
https://[domain],
HSTS header is returned and honoured as in when I change URL to 
http://[domain]:80 URL is changed to secured URL https://[domain].



So my query is how to configure HSTS on explicit custom ports(like in my case 
mentioned in point 2 8080/8443) or what is the recommendation, please suggest?


Regards,
Deepti Sharma
PMP® & ITIL

-Original Message-
From: Olaf Kock 
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50


On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
>   We have custom ports for http and https and we want to enable HSTS on 
> those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not 
> working on other custom ports, please let us know if there are different 
> steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.

When you say you got it working on 80/443, you haven't. You might see the 
headers, but it's not working. Most likely the header is ignored by the browser.

Whereever you handle your https termination - that might be on Tomcat, or on a 
reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS 
handling. /That/ server knows it's serving https. And there the header actually 
is valid and working.

If you try to configure a http (not https) connector on Tomcat for adding the 
HSTS headers, it's well within the specification to ignore that setting.

Technically you can do some trickery around that, but to make that sensible and 
safely would take more than a quick answer. And leave room for 
misinterpretation and configuration mistakes. So: Configure it anyhwere you 
terminate https, and ignore it on http.

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Is it possible to add hsts header over http response ?

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Devatha Naga Puneeth 
> Gesendet: Donnerstag, 12. Januar 2023 06:52
> An: users@tomcat.apache.org
> Betreff: Is it possible to add hsts header over http response ?
> 
> Apache Tomcat Version : 9.0.65
> 
>  
>   sts
> 
> org.apache.catalina.filters.HttpHeaderSecurityFilter
>   true
>   
> hstsEnabledForHttp
> true
>   
>   
> hstsMaxAgeSeconds
> 31536000
>   
>   
> hstsIncludeSubDomains
> true
>   
>  
> 
>  
>   sts
>   /*
>  
> 
> Used the above configuration in the conf/web.xml to add the hsts header .
> It is adding hsts header over only https responses.
> 
> Is it possible to add hsts header over http response through tomcat  . If 
> possible
> could you provide a way to add the hsts header over http 302 responses as 
> well.

HSTS only works via https. I think its not specified for HTTP and shouldn’t be 
used for this protocol.
So everything works as the specification defines.
You should not violate the specification and browsers won't care about this 
header in http anyway.

Greetings,
Thomas

AW: Tomcat is not Coming Up

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Ganesan, Prabu 
> Gesendet: Mittwoch, 11. Januar 2023 16:19
> An: Tomcat Users List 
> Betreff: Tomcat is not Coming Up
> 
> Hi Team
> 
> Need Emergency Help,
> 
> 
> 
> Our Production Server Was Down, We have not Done any changes on this
> tomcat Level
> 
> But we are seeing this Message.
> 
> 
> 
> Old : INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
> Command line argument: -Djava.library.path=/usr/local/apr/lib
> 
> 
> 
> New : INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
> Command line argument: -Xmx3072m
> 
> 
> 
> 
> 
> Old : INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> Loaded APR based Apache Tomcat Native library [1.2.23] using APR version
> [1.6.3]
> 
> 
> 
> New : INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> Loaded APR based Apache Tomcat Native library [1.2.17] using APR version
> [1.4.8]
> 
> 
> 
> Is That could be reason to Not coming up the server?
> 
> 
> Can someone Help me Please. We are not able to Start the services.
> 
> 
> 
> Thanks & Regards,
> _

There is no error visible in the provided snippet.
Usually, there are errors logged in other logfiles.
Please check every logfile in tomcat/logs folder and also check syslog for 
related errors.

Greetings,
Thomas

AW: HTTP/2 streams reset by Tomcat are treted as 503 errors by Apache HTTP Server

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Lorenzo,

> -Ursprüngliche Nachricht-
> Von: Lorenzo Dalla Vecchia 
> Gesendet: Donnerstag, 15. Dezember 2022 23:42
> An: users@tomcat.apache.org
> Betreff: HTTP/2 streams reset by Tomcat are treted as 503 errors by Apache
> HTTP Server
> 
> Hello.
> 
> We are having a random issue in a setup with Tomcat deployed behind Apache
> httpd. Some HTTP/2 requests proxied to Tomcat by httpd end with a
> 503 (service unavailable) response to the web browser client.
> 
> Tomcat version is 9.0.58 running with Java 1.8.0 in a Docker container.
> Docker version is 18.09.2 and the host machine runs Ubuntu 18.04.
> 
> I only have access to httpd logs, because enabling Tomcat logs
> (org.apache.coyote.http2.level = FINE) cause the problem to go away.
> 
> The following is an excerpt of a failing HTTP/2 stream, requested by httpd to
> Tomcat.
> 
>[Thu Dec 15 21:21:25.202719 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(931): [remote 192.168.65.2:18095]
> AH03363: h2_proxy_session(219-1289): submit localhost/app/143.js -> 1
>[Thu Dec 15 21:21:25.202784 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(345): [remote 192.168.65.2:18095]
> AH03343: h2_proxy_session(219-1289): sent FRAME[HEADERS[length=549,
> hend=1, stream=1, eos=0]]
>[Thu Dec 15 21:21:25.277438 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(219-1289): recv FRAME[HEADERS[length=120,
> hend=1, stream=1, eos=0]]
>[Thu Dec 15 21:21:25.277441 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(219-1289): recv FRAME[DATA[length=0, flags=1,
> stream=1, padlen=0]]
>[Thu Dec 15 21:21:25.277445 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(219-1289): recv FRAME[RST_STREAM[length=4,
> flags=0, stream=1]]
>[Thu Dec 15 21:21:25.277448 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(560): [remote 192.168.65.2:18095]
> AH03360: h2_proxy_session(219-1289): stream=1, closed, err=8
>[Thu Dec 15 21:21:25.277449 2022] [proxy_http2:debug] [pid 44:tid
> 139828875544320] h2_proxy_session.c(1352): [remote 192.168.65.2:18095]
> AH03364: h2_proxy_sesssion(219-1289): stream(1) closed (touched=0,
> error=8)
> 
> This is a similar excerpt from a successful HTTP/2 stream between the same
> servers.
> 
>[Wed Dec 14 15:31:19.516817 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(931): [remote 192.168.65.2:18095]
> AH03363: h2_proxy_session(212-197): submit localhost/app/1543.js -> 3
>[Wed Dec 14 15:31:19.516849 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(345): [remote 192.168.65.2:18095]
> AH03343: h2_proxy_session(212-197): sent FRAME[HEADERS[length=59,
> hend=1, stream=3, eos=0]]
>[Wed Dec 14 15:31:19.569569 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(212-197): recv FRAME[HEADERS[length=33,
> hend=1, stream=3, eos=0]]
>[Wed Dec 14 15:31:19.569575 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(212-197): recv FRAME[DATA[length=0, flags=1,
> stream=3, padlen=0]]
>[Wed Dec 14 15:31:19.569576 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(560): [remote 192.168.65.2:18095]
> AH03360: h2_proxy_session(212-197): stream=3, closed, err=0
>[Wed Dec 14 15:31:19.569577 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(1352): [remote 192.168.65.2:18095]
> AH03364: h2_proxy_sesssion(212-197): stream(3) closed (touched=0,
> error=0)
>[Wed Dec 14 15:31:19.569753 2022] [proxy_http2:debug] [pid 42:tid
> 140518005270272] h2_proxy_session.c(267): [remote 192.168.65.2:18095]
> AH03341: h2_proxy_session(212-197): recv FRAME[RST_STREAM[length=4,
> flags=0, stream=3]]
> 
> In both cases, the request is a GET with "If-Modified-Since" header that 
> should
> result in a 304 response (not modified).
> So, it is correct that there is no request nor response body.
> The sequence of exchanged frames is
> 
> - httpd sends HEADERS frame,
> - Tomcat sends HEADERS frame,
> - Tomcat sends DATA frame with length 0 (correct) and with END_STREAM flag
> (1),
> - Tomcat sends RST_STREAM frame.
> 
> I think the problem is somehow related to the RST_STREAM frame.
> In the failing case, it is read by httpd before it declares the stream 
> closed, and
> the frame contained the CANCEL error code (error=8, err=8).
> In the successful case, it is read by httpd after the stream is declared 
> closed, so
> the log does not show its error code. Either the code is NO_ERROR (0) or it is
> still CANCEL (8) but it is too late for 

AW: JTA transactions support in Tomcat 9 !!

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: dineshk 
> Gesendet: Donnerstag, 15. Dezember 2022 06:19
> An: Tomcat Users List 
> Betreff: JTA transactions support in Tomcat 9 !!
> 
> Hi ,
> Could anybody provide the information if JTA transactions are supported or not
> in Tomcat 9.X. If not , is there any way to achieve the JTA transactions ? We 
> are
> using hibernate for our persistence layer. RegardsDinesh

JTA is part of Jakarta EE / Java EE. 
This is not a part Tomcat covers. You need to use Hibernate or Eclipselink 
which implements this standard.
Only the version must match to Tomcat. Like for Jakarta EE you need Tomcat 10 
or above.
This site should answer your question:
https://tomcat.apache.org/whichversion.html

Greetings,
Thomas

AW: Starting Tomcat 10 at bootup

[Thomas Hoffmann (Speed4Trade GmbH)]

> -Ursprüngliche Nachricht-
> Von: Rob Sargent 
> Gesendet: Samstag, 26. November 2022 06:32
> An: Tomcat Users List 
> Betreff: Re: Starting Tomcat 10 at bootup
> 
> 
> > On Nov 25, 2022, at 4:28 PM, Amn Ojee Uw 
> wrote:
> >
> > Hey folks!
> >
> > The issue :
> > ~~~
> >
> > I just installed 'apache-tomcat-10.0.27.tar.gz' in my Debian 11 (stable) 
> > box,
> running OpenjDK 17.0.4, this was done following the recommendation on 'How
> to Install Apache Tomcat on Debian 11 (Step by Step)
>  '.
> With the exception of the java installation, I followed the steps up to 
> section 8
> where I get this error :
> >
> > */sudo systemctl restart tomcat/**/
> > /**/Job for tomcat.service failed because the control process exited
> > with error code./**/ /**/See "systemctl status tomcat.service" and
> > "journalctl -xe" for details./*
> >
> > I followed the recommendation of the error message and I get this :
> >
> > systemctl status tomcat.service
> > ● tomcat.service - Tomcat webs servlet container
> >  Loaded: loaded (/etc/systemd/system/tomcat.service; *enabled*; vendor
> preset>
> >  Active: activating (auto-restart) (Result: exit-code) since Fri 
> > 2022-11-25>
> > Process: 86949 ExecStart=/opt/tomcat/bin/startup.sh (code=exited,
> status=0/>
> > Process: 86960 ExecStop=/opt/tomcat/bin/shutdown.sh (code=exited,
> status=1/>
> > CPU: 38ms
> >
> > My Imperfect Solution
> > ~~~
> >
> > If from the command prompt or a shell script, I run this code sudo
> '/opt/tomcat/bin/catalina.sh run', Tomcat runs nicely, but it grabs the 
> Terminal,
> if I close the Terminal, Tomcat just stops working. Obviously not a perfect
> solution.
> >
> > I am a newcomer to the Linux world, but in Windows I had the same issue, so 
> > I
> wonder if this is a potential bug.
> >
> > Please help me resolve this issue or let me know how to report this bug. 
> > (This
> would be my first contribution to the team, so I am rightfully exited).
> >
> > Thanks in advance.
> 
> What do the logs have to say?
> 

Syslog and Tomcat-Logs should provide more information.
Systemctl usually doesn’t help much even if it tells you to look at it 

Btw: You can also run the sh-file with ampersand at the end to get back to your 
console.

AW: Alias name [server] does not identify a key entry + tomcat SSL

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
What happens if you remove the keyalias Attribute?

Von: thulasiram k 
Gesendet: Montag, 14. November 2022 04:10:18
An: Tomcat Users List
Betreff: Re: Alias name [server] does not identify a key entry + tomcat SSL

Hi Thomas,

Thanks for helping me here. I have deleted the old certs so only new certs
are in the key store. I tried with a pfx file but still the same issue and
I have mentioned the server.xml with the alias and type also. here the
config which I have in my file.

 

And the tomcat version is 8.5.34. and here is the error which we are
receiving in the log.

13-Nov-2022 16:24:59.451 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[HTTP/1.1-443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: Alias name [server] does not
identify a key entry
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.io.IOException: Alias name [server] does not identify a key
entry
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
... 20 more


let me know anything else required or suggestions.

Thanks
Ram

On Mon, Nov 14, 2022 at 3:05 AM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:

> Hello,
>
> maybe you have several keys in your keystore file.
> You can e.g. use https://code.google.com/archive/p/keytool-iui/ to take
> an easy look into your keystore file.
> You can delete the old one or use the connector attribute
> certificateKeyAlias to tell tomcat which key to use.
> The keys can be imported with an alias which must match the attribute.
>
> I personally prefer pfx format instead of java keystore. There is no need
> for an import and easier to handle.
> In order to use pfx you need to set the attribute keystoreType=pkcs12
> Pfx holds the private key and the public certificate.
>
> If this doesn’t help, please tell the tomcat version as the configuration
> depends on the version.
> Also the connector snippet is helpful (hide the password).
>
> Greetings, Thomas
>
> > -Ursprüngliche Nachricht-
> > Von: thulasiram k 
> > Gesendet: Sonntag, 13. November 2022 16:53
> > An: Tomcat Users List 
> > Betreff: Alias name [server] does not identify a key entry + tomcat SSL
> >
> > Hi Team,
> >
> > I am trying to renew my existing certificate. when I import the new cert
> it has
> > imported successfully and I can view that in the listing as well.
> >
> > But when I restart my tomcat I am getting the below error and
> application is
> > not accessible with https.
> >
> > Error:
> > Caused by: java.lang.IllegalArgumentException: Alias name [server] does
> not
> > identify a key entry at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > Endpoint.java:1

AW: Alias name [server] does not identify a key entry + tomcat SSL

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

maybe you have several keys in your keystore file.
You can e.g. use https://code.google.com/archive/p/keytool-iui/ to take an easy 
look into your keystore file.
You can delete the old one or use the connector attribute certificateKeyAlias 
to tell tomcat which key to use.
The keys can be imported with an alias which must match the attribute.

I personally prefer pfx format instead of java keystore. There is no need for 
an import and easier to handle.
In order to use pfx you need to set the attribute keystoreType=pkcs12
Pfx holds the private key and the public certificate.

If this doesn’t help, please tell the tomcat version as the configuration 
depends on the version.
Also the connector snippet is helpful (hide the password).

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: thulasiram k 
> Gesendet: Sonntag, 13. November 2022 16:53
> An: Tomcat Users List 
> Betreff: Alias name [server] does not identify a key entry + tomcat SSL
> 
> Hi Team,
> 
> I am trying to renew my existing certificate. when I import the new cert it 
> has
> imported successfully and I can view that in the listing as well.
> 
> But when I restart my tomcat I am getting the below error and application is
> not accessible with https.
> 
> Error:
> Caused by: java.lang.IllegalArgumentException: Alias name [server] does not
> identify a key entry at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:115)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> nt.java:86)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:
> 265)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> ava:68)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
> ... 13 more
> Caused by: java.io.IOException: Alias name [server] does not identify a key
> entry at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
> at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.j
> ava:79)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:113)
> ... 20 more
> 
> I tried exporting with a private key and configuring the keystoreType="PKCS12"
> but still no luck. Please help me with this issue if any one has faced a 
> similar
> situation.
> 
> Thanks
> Ram

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Tomcat 10 with Http2 and compression sometimes causes pages to load partly in FF

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Mark,

> -Ursprüngliche Nachricht-
> Von: Mark Thomas 
> Gesendet: Montag, 7. November 2022 12:43
> An: users@tomcat.apache.org
> Betreff: Re: Tomcat 10 with Http2 and compression sometimes causes pages to
> load partly in FF
> 
> On 06/11/2022 19:35, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello Mark,
> >
> > I found some time for digging into this older topic with the combination 
> > http2,
> Firefox, Compression and only partly loaded pages.
> > I hope I or the topic doesn’t bother you.
> 
> Not at all. If there is a Tomcat bug here, I want to get it fixed.
> 
> > As apache-tomcat-10.0.0-M7 doesn’t show the problem with broken pages
> > in FF (jsp page only partly loads) and it showed up with 
> > apache-tomcat-10.0.0-
> M8, I was taking a look at the changes. This was my current approach to this
> topic.
> >
> > The change which makes the difference is in Http2UpgradeHandler:
> > int reserveWindowSize(Stream stream, int reservation, boolean block)
> > throws IOException { ...
> >  if (!stream.canWrite()) {
> >
> stream.doStreamCancel(sm.getString("upgradeHandler.stream.notWritable",
> >  stream.getConnectionId(), 
> > stream.getIdAsString()),
> Http2Error.STREAM_CLOSED);
> >  }
> >
> > The older version just threw an exception instead of calling doStreamCancel
> when the client is closing the stream:
> >
> > if (!stream.canWrite()) {
> >  throw new CloseNowException(
> >  
> > sm.getString("upgradeHandler.stream.notWritable",
> >  stream.getConnectionId(), 
> > stream.getIdentifier()));
> >  }
> >
> > The method doStreamCancel is setting some properties before throwing also
> a CloseNowException:
> >
> >  void doStreamCancel(String msg, Http2Error error) throws
> CloseNowException {
> >  StreamException se = new StreamException(msg, error, getIdAsInt());
> >  // Prevent the application making further writes
> >  streamOutputBuffer.closed = true;
> >  // Prevent Tomcat's error handling trying to write
> >  coyoteResponse.setError();
> >  coyoteResponse.setErrorReported();
> >  // Trigger a reset once control returns to Tomcat
> >  streamOutputBuffer.reset = se;
> >  throw new CloseNowException(msg, se);
> >  }
> >
> > The line "streamOutputBuffer.closed = true;" seems to be responsible for the
> partly shown pages in FF.
> > If I comment out this line, no problem shows up with FF, http2 and
> compression="force".
> 
> Nice bit of detective work. Setting streamOutputBuffer.closed=true will 
> prevent
> the application from writing the rest of the resource content which would
> explain the partial response seen on the client side.
> 
> > This line seems to have some side effect somewhere else.
> > Unfortunately, I don’t know the code of Tomcat and http2 protocol.
> > Can you think about which side effect this line might have (in combination
> with compression / GZipOutputFilter)?
> > Maybe you have an inspiring idea about the cause or have a hint, where to
> follow the track.
> 
> I think this is more symptom rather than root cause. The symptom is visible
> because of the change to call doStreamCancel() but the question for me is what
> is triggering this to be called in the first place.
> 
> Digging into that a little:
> 
> stream.canWrite() needs to return false.
> 
> That happens when the Stream is in one of the states that does not permit
> write. Those states are:
> IDLE
> RESERVED_LOCAL
> HALF_CLOSED_LOCAL
> CLOSED_RX
> CLOSED_TX
> CLOSED_RST_RX
> CLOSED_RST_TX
> 
> One thing we could do is improve the error message so it logs the current
> Stream state. That will help narrow down how the Stream got into that state.
> 
> I'll get than done for the next set of releases.
> 
> Mark

Thank you so much for investigating this.
As far as I saw in the Wireshark dump, the Firefox-Browser is closing one http2 
stream (don’t know why FF behaves like that).
It seems FF is fetching cached resources and after fetching recognizes that it 
doesn’t need it.
So the reason is that the browser is cancelling / closing the http2-stream.
The closed stream happens in version 10.0.0-M7 and 10.0.0-M8 but only causes 
issues in version M8. Thus I assume that the issue is somewhere later on in the 
handling.

Strangely it causes only problems in connection with the compression=on/force 
setting.

Tomcat 10 with Http2 and compression sometimes causes pages to load partly in FF

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Mark,

I found some time for digging into this older topic with the combination http2, 
Firefox, Compression and only partly loaded pages.
I hope I or the topic doesn’t bother you. 

As apache-tomcat-10.0.0-M7 doesn’t show the problem with broken pages in FF 
(jsp page only partly loads) and
it showed up with apache-tomcat-10.0.0-M8, I was taking a look at the changes. 
This was my current approach to this topic.

The change which makes the difference is in Http2UpgradeHandler:
int reserveWindowSize(Stream stream, int reservation, boolean block) throws 
IOException {
...
if (!stream.canWrite()) {

stream.doStreamCancel(sm.getString("upgradeHandler.stream.notWritable",
stream.getConnectionId(), stream.getIdAsString()), 
Http2Error.STREAM_CLOSED);
}

The older version just threw an exception instead of calling doStreamCancel 
when the client is closing the stream:

if (!stream.canWrite()) {
throw new CloseNowException(

sm.getString("upgradeHandler.stream.notWritable",
stream.getConnectionId(), 
stream.getIdentifier()));
}

The method doStreamCancel is setting some properties before throwing also a 
CloseNowException:

void doStreamCancel(String msg, Http2Error error) throws CloseNowException {
StreamException se = new StreamException(msg, error, getIdAsInt());
// Prevent the application making further writes
streamOutputBuffer.closed = true;
// Prevent Tomcat's error handling trying to write
coyoteResponse.setError();
coyoteResponse.setErrorReported();
// Trigger a reset once control returns to Tomcat
streamOutputBuffer.reset = se;
throw new CloseNowException(msg, se);
}

The line "streamOutputBuffer.closed = true;" seems to be responsible for the 
partly shown pages in FF.
If I comment out this line, no problem shows up with FF, http2 and 
compression="force".

This line seems to have some side effect somewhere else.
Unfortunately, I don’t know the code of Tomcat and http2 protocol. 
Can you think about which side effect this line might have (in combination with 
compression / GZipOutputFilter)?
Maybe you have an inspiring idea about the cause or have a hint, where to 
follow the track.

Thank you very much in advance,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Need an answer for below query _ high critical for Middleware end in my team

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

I suggest to not mix topics in one thread.
One thread, one topic.
I think most of the mentioned questions are found at the documentation, e. G.
https://tomcat.apache.org/tomcat-10.0-doc/config/context.html

The watched ressources are observed for changes and can trigger reloads of the 
application. A context is usually used for one application which is accessible 
via a url e. G. /mysampleapp

Greetings, Thomas

Von: Ganesan, Prabu 
Gesendet: Freitag, 4. November 2022 07:59:04
An: Усманов Азат Анварович; users@tomcat.apache.org
Betreff: Need an answer for below query _ high critical for Middleware end in 
my team

Hi guys anyone help me on this below query.

Can you please help me with following:
What purpose does the values in the Environment tags and the values inside 
context.xml serve?
What purpose does the WatchedResource tags and the values inside the 
context.xml serve?

(Explain how the Tomcat components and different context settings are related 
(in the underlying packages)

Please can anybody ans for this



From: Усманов Азат Анварович 
Sent: Friday, November 4, 2022 1:11 AM
To: users@tomcat.apache.org 
Subject: any plans for tomcat-native 1.2.36

***This mail has been sent by an external source***

Hi Everyone!

I'm wondering if there are plans to release the next version of tomcat
native 1.2 branch?I've scheduled a big server migration as well as
tomcat upgrade 7.0.92 to -9.0.48   (everything seems to work  on
test-enviroment) at $work on weekend(Oct 5th-6th) .I usually build
openssl,tomcat-native  manually, currently using openssl 3.03 and tomcat
native 1.2.33. it would be nice to upgrade both openssl and tomcat
native at the same time during scheduled downtime. I did see a vote on a
dev list for next release of 2.0 branch of tomcat native. any plans for
tomcat -native 1.2.36?

Sincerely, Azat Usmanov

P.S. Our servers run on RHEL6


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message or 
any part thereof. If you receive this message in error, please notify the 
sender immediately and delete all copies of this message.

AW: Apache Tomcat started, but error 404

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Strib 
> Gesendet: Montag, 24. Oktober 2022 08:10
> An: users@tomcat.apache.org
> Betreff: Apache Tomcat started, but error 404
> 
> Hello, trying to see if anyone else had this issue. After a reboot of hot and
> warm servers, my sites using Tomcat throws the error 404 only on the hot
> servers. I've stopped and started Tomcat services, nothing. In the logs, there
> were 2 errors. One was Catalina. But even though the error happened on hot
> and warm servers, warm sites are still working, so I'm thinking that's not 
> it. The
> other error on the hot servers says startup error. Is it just luck of the 
> draw, of
> starting/stopping Tomcat services?
> Is it something else, entirely? Frustrating that Tomcat does not have a UI to
> make this easier. Thanks in advance.
> 
> Very respectfully,
> Darious

Could you past the error message about startup issue?
404 sounds like your application failed to start but Tomcat is running.
So it might be an issue with the application.
In the log files there are usually information about the reason.

Greetings, Thomas

AW: About granting permissions to Tomcat JVM

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Martin Moore 
> Gesendet: Sonntag, 9. Oktober 2022 17:59
> An: Tomcat Users List 
> Betreff: Re: About granting permissions to Tomcat JVM
> 
> @thomas.hoffm...@speed4trade.com.invalid
>   how to use the debugger in
> this case ?any documentation pls ?

For debugging you need the sources. Either you have a development environment 
where you start debugging.
Alternatively you can open a JMX port and do remote debugging (e.g. with 
eclipse)
Details about remote debugging are e.g. 
https://stackify.com/java-remote-debugging/ 

I don’t think that there a libs or something else missing. As you see an open 
file handle, the next step is to
figure out which part of the program is causing the left open file handle.


> @Rob Sargent i posted most of the methods used in the app, but yes JVM is
> holding off on deleting the file...
> 
> Le dim. 9 oct. 2022 à 17:31, Thomas Hoffmann (Speed4Trade GmbH)
>  a écrit :
> 
> > Hello,
> >
> > > About the methods i use in the application along with file.delete()
> > (which is
> > > what this post is about) I use File[] files = new
> > > File("C:\\SomeFolder").listFiles();
> > > file.getName();
> > > file.lastModified()
> > > Path path = Paths.get(fileName);
> > > Would any of these cause the lock on the file ?
> >
> > They don't look suspicious to me. What you could do is, use the
> > debugger to go step by step.
> > In parallel, use the ProcessExplorer to see at which point the file
> > handle appears.
> > Maybe it is more hidden in some other routines which might use a
> > MappedByteBuffer to read or write.
> >
> >
> > >
> > > Le dim. 9 oct. 2022 à 16:03, Thomas Hoffmann (Speed4Trade GmbH)
> > >  a écrit :
> > >
> > > >
> > > > > -Ursprüngliche Nachricht-
> > > > > Von: Martin Moore 
> > > > > Gesendet: Sonntag, 9. Oktober 2022 15:37
> > > > > An: thomas.hoffm...@speed4trade.com.invalid; Tomcat Users List
> > > > > 
> > > > > Betreff: Re: About granting permissions to Tomcat JVM
> > > > >
> > > > > the ProcessExplorer shows that a Java process is running on the
> > > > > file and
> > > > this
> > > > > only after actually performing the delete from Java.
> > > >
> > > >
> > > > Some possibilities for file locking.
> > > > - the upload process didn’t close the streams properly
> > > > - You use http2 and sendfile
> > > > - You are using a MappedByteBuffer before deletion:
> > > > https://bugs.openjdk.org/browse/JDK-4724038
> > > >
> > > > ... just some ideas which cause file locking ...
> > > >
> > > > > Le dim. 9 oct. 2022 à 15:23, Thomas Hoffmann (Speed4Trade GmbH)
> > > > >  a écrit :
> > > > >
> > > > > > Hello,
> > > > > > this might be a behavior of the underlying OS.
> > > > > > If the file is locked, it is marked for deletion and when the
> > > > > > file lock is released, the file is physically deleted.
> > > > > >
> > > > > > Maybe you can check with ProcessExplorer from MS whether there
> > > > > > is an open file handle on this file.
> > > > > >
> > > > > > Greetings,
> > > > > > Thomas
> > > > > >
> > > > > > > -Ursprüngliche Nachricht-
> > > > > > > Von: Martin Moore 
> > > > > > > Gesendet: Sonntag, 9. Oktober 2022 09:56
> > > > > > > An: Tomcat Users List ;
> > > > > > > ma...@apache.org
> > > > > > > Betreff: Re: About granting permissions to Tomcat JVM
> > > > > > >
> > > > > > > Hello Mark,
> > > > > > >
> > > > > > > I don't know if the SecurityManager is enabled or not (how
> > > > > > > to disable it
> > > > > > > btw?)
> > > > > > > I set the env var CATALINA_HOME to be C:/Program
> > > > > > > Files/Apache-Tomcat-8/ The files in question are stored in
> > > > > > > Desktop/SomeFolder
> > > > > > >
> > > > > > > Thanks.
> > > > > > >
> > > > > > > Le dim. 9 oct. 2022 à 08:00, Mark Thomas 
> > > > 

AW: About granting permissions to Tomcat JVM

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
 
> About the methods i use in the application along with file.delete() (which is
> what this post is about) I use File[] files = new
> File("C:\\SomeFolder").listFiles();
> file.getName();
> file.lastModified()
> Path path = Paths.get(fileName);
> Would any of these cause the lock on the file ?

They don't look suspicious to me. What you could do is, use the debugger to go 
step by step.
In parallel, use the ProcessExplorer to see at which point the file handle 
appears.
Maybe it is more hidden in some other routines which might use a 
MappedByteBuffer to read or write.


> 
> Le dim. 9 oct. 2022 à 16:03, Thomas Hoffmann (Speed4Trade GmbH)
>  a écrit :
> 
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Martin Moore 
> > > Gesendet: Sonntag, 9. Oktober 2022 15:37
> > > An: thomas.hoffm...@speed4trade.com.invalid; Tomcat Users List
> > > 
> > > Betreff: Re: About granting permissions to Tomcat JVM
> > >
> > > the ProcessExplorer shows that a Java process is running on the file
> > > and
> > this
> > > only after actually performing the delete from Java.
> >
> >
> > Some possibilities for file locking.
> > - the upload process didn’t close the streams properly
> > - You use http2 and sendfile
> > - You are using a MappedByteBuffer before deletion:
> > https://bugs.openjdk.org/browse/JDK-4724038
> >
> > ... just some ideas which cause file locking ...
> >
> > > Le dim. 9 oct. 2022 à 15:23, Thomas Hoffmann (Speed4Trade GmbH)
> > >  a écrit :
> > >
> > > > Hello,
> > > > this might be a behavior of the underlying OS.
> > > > If the file is locked, it is marked for deletion and when the file
> > > > lock is released, the file is physically deleted.
> > > >
> > > > Maybe you can check with ProcessExplorer from MS whether there is
> > > > an open file handle on this file.
> > > >
> > > > Greetings,
> > > > Thomas
> > > >
> > > > > -Ursprüngliche Nachricht-
> > > > > Von: Martin Moore 
> > > > > Gesendet: Sonntag, 9. Oktober 2022 09:56
> > > > > An: Tomcat Users List ;
> > > > > ma...@apache.org
> > > > > Betreff: Re: About granting permissions to Tomcat JVM
> > > > >
> > > > > Hello Mark,
> > > > >
> > > > > I don't know if the SecurityManager is enabled or not (how to
> > > > > disable it
> > > > > btw?)
> > > > > I set the env var CATALINA_HOME to be C:/Program
> > > > > Files/Apache-Tomcat-8/ The files in question are stored in
> > > > > Desktop/SomeFolder
> > > > >
> > > > > Thanks.
> > > > >
> > > > > Le dim. 9 oct. 2022 à 08:00, Mark Thomas  a
> > > > > écrit
> > :
> > > > >
> > > > > > On 08/10/2022 17:36, Martin Moore wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am facing a problem using Tomcat V8 with my J2ee app that
> > > > > > > deletes
> > > > > > (using
> > > > > > > file.delete() Java 8) a file from disk (Windows). The file
> > > > > > > is actually deleting only on application level meaning that
> > > > > > > the application does not see the file anymore but if i open
> > > > > > > the folder i still see the file which
> > > > > > is
> > > > > > > then locked by Java process. I only get the file to be
> > > > > > > removed physically when i close the Tomcat instance.
> > > > > > >
> > > > > > > Does this problem relate to permissions in catalina.policy ?
> > > > > >
> > > > > > Unlikely.
> > > > > >
> > > > > > Are you using a SecurityManager?
> > > > > >
> > > > > > > How to solve this?
> > > > > >
> > > > > > Where, exactly, are you storing these files? Where, exactly,
> > > > > > are CATALINA_HOME and CATALINA_BASE?
> > > > > >
> > > > > > Mark
> > > > > >
> > > > > > --
> > > > > > 
> > > > > > --- To unsubscribe, e-mail:
> > > > > > users-unsubscr...@tomcat.apache.org
> > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > > > >
> > > > > >
> > > >
> > > > --
> > > > --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: About granting permissions to Tomcat JVM

[Thomas Hoffmann (Speed4Trade GmbH)]

> -Ursprüngliche Nachricht-
> Von: Martin Moore 
> Gesendet: Sonntag, 9. Oktober 2022 15:37
> An: thomas.hoffm...@speed4trade.com.invalid; Tomcat Users List
> 
> Betreff: Re: About granting permissions to Tomcat JVM
> 
> the ProcessExplorer shows that a Java process is running on the file and this
> only after actually performing the delete from Java.


Some possibilities for file locking.
- the upload process didn’t close the streams properly
- You use http2 and sendfile
- You are using a MappedByteBuffer before deletion: 
https://bugs.openjdk.org/browse/JDK-4724038

... just some ideas which cause file locking ...
 
> Le dim. 9 oct. 2022 à 15:23, Thomas Hoffmann (Speed4Trade GmbH)
>  a écrit :
> 
> > Hello,
> > this might be a behavior of the underlying OS.
> > If the file is locked, it is marked for deletion and when the file
> > lock is released, the file is physically deleted.
> >
> > Maybe you can check with ProcessExplorer from MS whether there is an
> > open file handle on this file.
> >
> > Greetings,
> > Thomas
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Martin Moore 
> > > Gesendet: Sonntag, 9. Oktober 2022 09:56
> > > An: Tomcat Users List ; ma...@apache.org
> > > Betreff: Re: About granting permissions to Tomcat JVM
> > >
> > > Hello Mark,
> > >
> > > I don't know if the SecurityManager is enabled or not (how to
> > > disable it
> > > btw?)
> > > I set the env var CATALINA_HOME to be C:/Program
> > > Files/Apache-Tomcat-8/ The files in question are stored in
> > > Desktop/SomeFolder
> > >
> > > Thanks.
> > >
> > > Le dim. 9 oct. 2022 à 08:00, Mark Thomas  a écrit :
> > >
> > > > On 08/10/2022 17:36, Martin Moore wrote:
> > > > > Hello,
> > > > >
> > > > > I am facing a problem using Tomcat V8 with my J2ee app that
> > > > > deletes
> > > > (using
> > > > > file.delete() Java 8) a file from disk (Windows). The file is
> > > > > actually deleting only on application level meaning that the
> > > > > application does not see the file anymore but if i open the
> > > > > folder i still see the file which
> > > > is
> > > > > then locked by Java process. I only get the file to be removed
> > > > > physically when i close the Tomcat instance.
> > > > >
> > > > > Does this problem relate to permissions in catalina.policy ?
> > > >
> > > > Unlikely.
> > > >
> > > > Are you using a SecurityManager?
> > > >
> > > > > How to solve this?
> > > >
> > > > Where, exactly, are you storing these files? Where, exactly, are
> > > > CATALINA_HOME and CATALINA_BASE?
> > > >
> > > > Mark
> > > >
> > > > --
> > > > --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
> > > >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: About granting permissions to Tomcat JVM

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
this might be a behavior of the underlying OS.
If the file is locked, it is marked for deletion and when the file lock is 
released, the file is physically deleted.

Maybe you can check with ProcessExplorer from MS whether there is an open file 
handle on this file.

Greetings,
Thomas

> -Ursprüngliche Nachricht-
> Von: Martin Moore 
> Gesendet: Sonntag, 9. Oktober 2022 09:56
> An: Tomcat Users List ; ma...@apache.org
> Betreff: Re: About granting permissions to Tomcat JVM
> 
> Hello Mark,
> 
> I don't know if the SecurityManager is enabled or not (how to disable it
> btw?)
> I set the env var CATALINA_HOME to be C:/Program Files/Apache-Tomcat-8/
> The files in question are stored in Desktop/SomeFolder
> 
> Thanks.
> 
> Le dim. 9 oct. 2022 à 08:00, Mark Thomas  a écrit :
> 
> > On 08/10/2022 17:36, Martin Moore wrote:
> > > Hello,
> > >
> > > I am facing a problem using Tomcat V8 with my J2ee app that deletes
> > (using
> > > file.delete() Java 8) a file from disk (Windows). The file is
> > > actually deleting only on application level meaning that the
> > > application does not see the file anymore but if i open the folder i
> > > still see the file which
> > is
> > > then locked by Java process. I only get the file to be removed
> > > physically when i close the Tomcat instance.
> > >
> > > Does this problem relate to permissions in catalina.policy ?
> >
> > Unlikely.
> >
> > Are you using a SecurityManager?
> >
> > > How to solve this?
> >
> > Where, exactly, are you storing these files? Where, exactly, are
> > CATALINA_HOME and CATALINA_BASE?
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: problems with inclusion of jsp files since Tomcat 9.0.67

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
its already addressed here: https://bz.apache.org/bugzilla/show_bug.cgi?id=66277

> -Ursprüngliche Nachricht-
> Von: Sita Geßner 
> Gesendet: Mittwoch, 5. Oktober 2022 08:57
> An: users@tomcat.apache.org
> Betreff: problems with inclusion of jsp files since Tomcat 9.0.67
> 
> Hello,
> 
> since Tomcat 9.0.67 we have the following problem. With tomcat 9.0.65
> everything works fine without a change.
> 
> most of our jsp-files are placed in a subdirectory and include the following
> line.
> 
> <%@ include file="../../includes/taglib.jsp" %>
> 
> the taglib.jsp contains the following content:
> 
> 
> <%@ page language="java" contentType="text/html; charset=UTF-8" %>
> 
> <%@ taglib prefix="decorator"
> uri="http://www.opensymphony.com/sitemesh/decorator; %> <%@ taglib
> prefix="shiro" uri="http://shiro.apache.org/tags; %> <%@ taglib
> prefix="page" uri="http://www.opensymphony.com/sitemesh/page; %>
> <%@ taglib prefix="s" uri="/struts-tags" %> <%@ taglib prefix="sj"
> uri="/struts-jquery-tags" %> <%@ taglib prefix="sjg" uri="/struts-jquery-
> grid-tags" %>
> 
> 
> <%@ include file="../includes/struts-vars.jsp" %>
> 
> When opening a jsp-file that is directly placed under WEB-INF/jsp/
> everything works fine.
> When opening a jsp-page, where the jsp-file is placed in a subdirectory (for
> example: WEB-INF/jsp/search/), the following error occurs.
> 
> org.apache.jasper.JasperException: /WEB-INF/jsp/search/search-debtor.jsp
> (Zeile: [2], Spalte: [1]) /WEB-INF/jsp/search/../../includes/taglib.jsp 
> (Zeile:
> [11], Spalte: [1]) Datei [../includes/struts-vars.jsp] nicht gefunden at
> org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandle
> r.java:41)
> at
> org.apache.jasper.compiler.ErrorDispatcher.dispatch(ErrorDispatcher.java:29
> 2)
> at
> org.apache.jasper.compiler.ErrorDispatcher.jspError(ErrorDispatcher.java:98)
> at
> org.apache.jasper.compiler.Parser.processIncludeDirective(Parser.java:351)
> at org.apache.jasper.compiler.Parser.parseIncludeDirective(Parser.java:384)
> at org.apache.jasper.compiler.Parser.parseDirective(Parser.java:485)
> at org.apache.jasper.compiler.Parser.parseFileDirectives(Parser.java:1802)
> at org.apache.jasper.compiler.Parser.parse(Parser.java:141)
> at
> org.apache.jasper.compiler.ParserController.doParse(ParserController.java:2
> 45)
> at
> org.apache.jasper.compiler.ParserController.parseDirectives(ParserControlle
> r.java:128)
> at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:202)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:391)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:367)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:351)
> at
> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.ja
> va:605)
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.jav
> a:399)
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
> lterChain.java:227)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
> n.java:162)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
> lterChain.java:189)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
> n.java:162)
> at
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher
> .java:711)
> at
> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationD
> ispatcher.java:459)
> at
> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispat
> cher.java:385)
> at
> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatch
> er.java:313)
> at
> org.apache.struts2.result.ServletDispatcherResult.doExecute(ServletDispatc
> herResult.java:169)
> at
> org.apache.struts2.result.StrutsResultSupport.execute(StrutsResultSupport.j
> ava:206)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.executeResult(Default
> ActionInvocation.java:375)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
> nvocation.java:279)
> at
> de.data_team.newd.web.DecoratorInterceptor.intercept(DecoratorIntercep
> tor.java:40)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
> nvocation.java:249)
> at
> com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doInt
> ercept(DefaultWorkflowInterceptor.java:179)
> at
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(
> MethodFilterInterceptor.java:99)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionI
> nvocation.java:249)
> at
> 

AW: AW: Slow startup first time after reboot

[Thomas Hoffmann (Speed4Trade GmbH)]

ne: 345
>      Bootstrap.main(String[]) line: 476


RandomAccessFile only means that the file is opened and allows random access to 
it.
It is not read in a sequential way but the class files can be access as needed.
Is it a war file or a normal web folder?
How many jars are in the WEB-INF\lib directory and how large is that folder 
(MB)?

> 
> On 9/29/2022 4:29 AM, Mark Thomas wrote:
> > On 29/09/2022 04:05, Jerry Malcolm wrote:
> >> Hi, Mark, Thanks for the info. Getting several thread dumps is not
> >> going to be easy in this specific situation.  This problem only
> >> occurs on initial boot up of a newly-imaged linux EC2 which is built
> >> and launched automatically by the AWS autoscaling service.  By the
> >> time i can see that an image has been created and launched, get the
> >> newly assigned IP address from AWS, then go through the
> >> initialization of a puTTY session, then get the PID for tomcat, I'm
> >> pretty much out of time to try to get meaningful thread dumps. I have
> >> no doubt that the thread dump might tell us something.  But short of
> >> some major restructuring and special scaffolding to obtain useful
> >> dumps, I want to exhaust all other alternatives to find the problem
> >> prior to going down that hole.
> >
> > In your initial post you stated you also observed the problem in your
> > local Windows development environment. Take the thread dumps there.
> >
> > Mark
> >
> >
> >>
> >>  1) Are there any finer log levels I can turn on to get more data
> >> for initializing webapps?
> >>
> >>  2) In general, what occurs on init of a webapp?  I know it does
> >> tld scanning of jar files.  But I'm not getting tld scan warnings.
> >> And any tld scans that do happen occur on every TC boot, right?
> >>
> >>  3) Are the datasource pools being initialized such that there
> >> could be some database timeout wait occurring?   (Not sure why there
> >> would be db timeouts, though... the db is up and running and not
> >> approaching connection limits)
> >>
> >>  4) Does it load/cache every jar file in the lib folder on init
> >>
> >>  5) Does it perhaps precompile all of the JSPs and cache them
> >> somewhere that the jvm might still have them on a TC reboot?  When
> >> it's doing slow-load, the time varies between 13 and 19 seconds, and
> >> the time appears to be correlated to the number of JSPs in the web app.
> >>
> >> I know I'm just grasping at straws.  But hopefully I can figure out
> >> something that is causing this super long load time without having to
> >> figure out the thread-dump on system boot procedure.
> >>
> >> Thanks again.
> >>
> >> Jerry
> >>
> >> On 9/28/2022 11:33 AM, Mark Thomas wrote:
> >>> Lots of ways. I'd try starting with the jstack tool which should be
> >>> provided as part of the JDK you are using.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 28/09/2022 17:16, Jerry Malcolm wrote:
> >>>> Thanks, Mark, I'm not familiar with how to take a thread dump in
> >>>> TC. Can you point me to documentation on that?
> >>>>
> >>>> Jerry
> >>>>
> >>>>
> >>>> On 9/28/2022 2:56 AM, Mark Thomas wrote:
> >>>>> Take three thread dumps 5s apart during the slowness and then diff
> >>>>> them to see what is moving and what is not.
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>
> >>>>> On 28/09/2022 07:30, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> could the underlying hardware cause the delay?
> >>>>>> Maybe the OS has cached some data and don’t need to read it from
> >>>>>> disk again?
> >>>>>>
> >>>>>> Maybe you can check the IO and CPU load during startup and
> compare.
> >>>>>>
> >>>>>>> -Ursprüngliche Nachricht-
> >>>>>>> Von: Jerry Malcolm 
> >>>>>>> Gesendet: Mittwoch, 28. September 2022 04:54
> >>>>>>> An: users@tomcat.apache.org
> >>>>>>> Betreff: Re: Slow startup first time after reboot
> >>>>>>>
> >>>>>>> Neil,
> >>>>>>>
> >>>>

AW: AW: MaxRequestWorkers error

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Kumawat, Priyanka 
> Gesendet: Donnerstag, 29. September 2022 22:28
> An: Tomcat Users List 
> Betreff: RE: AW: MaxRequestWorkers error
> 
> Hi Thomas,
> 
> -> How much memory did you configure for your java environment? -->
> 
> -Xms4096m -Xmx8192m

This depends on the application and the server memory.
Every application is different. Depends on what they keep in memory. Some 
application eat a lot of memory, some less.
Maybe you can take a look at the requirements or ask developer if possible.

> -> Parameter If the java process eats too much memory, you can write a
> memory dump when an OOM exception occurs.
> 
> Do we need to run this cmd with the startup.sh tomcat cmd , or can we run
> this directly on server , before restarting the tomcat during OOM error.
> 
> -XX:+HeapDumpOnOutOfMemoryError -
> XX:HeapDumpPath=/opt/tomcat/apache-tomcat-8.5.5/logs/javadump.dmp
> 

All the -X... stuff are startup parameters / variables. Usually set via 
setenv.sh.
Please check e.g. 
https://crunchify.com/how-to-change-jvm-heap-setting-xms-xmx-of-tomcat/ 

> Also can we use the cmd's also for generating heap and thread dumps ,
> please suggest are these cmd's useful for these error condition.
> 
> kill -3 PID
> 
> /opt/tomcat/jdk1.8.0_121/bin
> ./jmap -F -dump:format=b,file=/tmp/heap.bin PID ./jmap -F -
> dump:format=b,file=/tmp/heap.hpof PID
> 

Kill and jmap can dump the memory during runtime, yes.
However you need tools like MAT https://www.eclipse.org/mat/ and the dumps in 
general are useful for the developers of the app.


> The below is the current memory foot print on the prod server now -
> 
> tomcat@[/tmp]$ free -m
>  total   used   free sharedbuffers cached
> Mem: 32109  31422687 69   1185  15452
> -/+ buffers/cache:  14783  17325
> Swap:16383  0  16383
> tomcat@[/tmp]$ free -m
>  total   used   free sharedbuffers cached
> Mem: 32109  31422687 69   1185  15452
> -/+ buffers/cache:  14783  17325
> Swap:16383  0  16383
> tomcat@[/tmp]$ free -m
>  total   used   free sharedbuffers cached
> Mem: 32109  31422687 69   1185  15452
> -/+ buffers/cache:  14783  17325
> Swap:16383  0  16383
> 
> 
> > > You can also open a JMX port and inspect the memory using during
> > > runtime, e.g. with VirtualVM
> 
> We are still trying this option to get run , this is asking to have java 1.8 
> or
> higher , can we use any other option to check the Memory during runtime?.


VisualVM is best in my point of view. Don’t you have Java 8 or higher running?


> 
> Please suggest . Thankyou !
> 
> 
> Thanks & Regards,
> 
> Priyanka Kumawat | Middleware Admin
> T +91.7879364483
> EMail - priyanka.kuma...@dxc.com
> DL - ams-leveraged-webadmin-offsh...@dxc.com
> 
> DXC Technology
> 
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: 28 September 2022 12:02
> To: Tomcat Users List 
> Subject: AW: AW: MaxRequestWorkers error
> 
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: Rob Sargent 
> > Gesendet: Dienstag, 27. September 2022 23:26
> > An: users@tomcat.apache.org
> > Betreff: Re: AW: MaxRequestWorkers error
> >
> >
> >
> > On 9/27/22 14:37, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > >
> > > How much memory did you configure for your java environment? -->
> Xmx
> > > Parameter If the java process eats too much memory, you can write a
> > memory dump when an OOM exception occurs.
> > > E.g. with the parameters: -XX:+HeapDumpOnOutOfMemoryError -
> > XX:HeapDumpPath=/var/logs/javadump.dmp"
> > > You can also open a JMX port and inspect the memory using during
> > > runtime, e.g. with VirtualVM
> > >
> https://clicktime.symantec.com/15tStaehQas9svtdpJ83n?h=sL3qdTIGckj1F
> > > A6lY59OUlcDtGbnfGtyeXufk7TPq70==https://visualvm.github.io/
> > >
> > Pretty sure Thomas mean "VisualVM"
> 
> Of course :)
> Link was right, name was wrong.
> 
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> B
> KK
> KKCB  [  X  ܚX KK[XZ[  \ \  ]

AW: AW: MaxRequestWorkers error

[Thomas Hoffmann (Speed4Trade GmbH)]

> -Ursprüngliche Nachricht-
> Von: Rob Sargent 
> Gesendet: Dienstag, 27. September 2022 23:26
> An: users@tomcat.apache.org
> Betreff: Re: AW: MaxRequestWorkers error
> 
> 
> 
> On 9/27/22 14:37, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >
> > How much memory did you configure for your java environment? --> Xmx
> > Parameter If the java process eats too much memory, you can write a
> memory dump when an OOM exception occurs.
> > E.g. with the parameters: -XX:+HeapDumpOnOutOfMemoryError -
> XX:HeapDumpPath=/var/logs/javadump.dmp"
> > You can also open a JMX port and inspect the memory using during
> > runtime, e.g. with VirtualVM https://visualvm.github.io/
> >
> Pretty sure Thomas mean "VisualVM"

Of course :)
Link was right, name was wrong.

> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Slow startup first time after reboot

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

could the underlying hardware cause the delay?
Maybe the OS has cached some data and don’t need to read it from disk again?

Maybe you can check the IO and CPU load during startup and compare.

> -Ursprüngliche Nachricht-
> Von: Jerry Malcolm 
> Gesendet: Mittwoch, 28. September 2022 04:54
> An: users@tomcat.apache.org
> Betreff: Re: Slow startup first time after reboot
> 
> Neil,
> 
> Sadly, that line doesn't appear either with or without the java.security.egd
> option.   That appears to be a lump sum  of 4-5 minutes for the
> SecureRandom seed thing.  I'm getting a total accumulation of ~5
> minutes.  But it's made up of a bunch of ~15-sec web starts.  See example
> below.  Same two lines from Catalina.out from the first boot and a second
> boot.
> 
> One other clue I've noted.  The quick boot occurs on an immediate
> stop/start.  I have noticed a couple of times in Eclipse that if I stop TC and
> leave it stopped for a while, it goes back to the long startup. It sounds like
> something related to loading modules/jarFiles.  On an immediate restart the
> JVM wouldn't have time to unload modules before they are needed
> again.  But a new loading of some module on each web app might be what's
> killing it (??)
> 
>   JVM Version:   11.0.16+8-LTS
>   JVM Vendor:    Red Hat, Inc.
> 
> Auto-startup of TC on EC2 startup:
> 
> 28-Sep-2022 00:15:55.612 INFO [main]
> org.apache.catalina.startup.HostConfig.deployDirectory Deployment
>      of web application directory
> [/var/domains/wridz.com/webapps/idmanager] has finished in [16,991] ms
> [1 example... ~20 more like it]
> 
> 28-Sep-2022 00:18:40.818 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in [30]
> milliseconds
> 
> Reboot of TC
> 
> 28-Sep-2022 02:28:45.854 INFO [main]
> org.apache.catalina.startup.HostConfig.deployDirectory Deployment
>     of web application directory
> [/var/domains/wridz.com/webapps/idmanager] has finished in [737] ms [1
> example... ~20 more like it]
> 
> 28-Sep-2022 02:28:51.476 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in [19795]
> milliseconds
> 
> On 9/27/2022 8:32 PM, Neil Aggarwal wrote:
> >> Are there perhaps
> >> some log levels I could change that would provide more detailed
> >> information about what step it's hung up on for loading these web apps?
> > I just tested this on a dev sever.
> > I removed the java.security.egd option and rebooted my server.
> >
> > Once I waited for Tomcat to finish starting up, catalina.out had this line:
> > WARNING [main]
> > org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom
> > Creation of SecureRandom instance for session ID generation using
> > [SHA1PRNG] took [222,741] milliseconds.
> >
> > Check if your log has something similar.
> >
> > Thank you,
> >Neil
> >
> > --
> > Neil Aggarwal, (972) 834-1565, http://www.propfinancing.com We offer
> > 30 year loans on single family houses!
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: MaxRequestWorkers error

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello!

> -Ursprüngliche Nachricht-
> Von: Kumawat, Priyanka 
> Gesendet: Dienstag, 27. September 2022 21:41
> An: Tomcat Users List 
> Betreff: RE: MaxRequestWorkers error
> 
> Hello Christopher ,
> 
> Thank you for your assistance !.Please find the mpm event given under
> httpd.mpm.conf file on the server as below , the max request worker was
> increased 50 more , approx two months before , that time we faced the
> same issue with Max request error and Memory got exhausted on server ,
> the root cause was concluded that time was insufficient memory part of
> solution 16GB memory was added to the server along with the Max worker
> increase, the tomcat application heap size was also been adjusted -
> 
> But we have started seeing the same kind of problems again , the tomcat
> went to crash status with Out of memory errors , and Apache error logs with
> Max request errors , whole production environment due to this .
> 
> It occurred twice recently - 16th Sept and 20th Sept.
> 
> **
> 
> Error details -
> 
> : [Tue Sep 20 10:25:23.518687 2022] [mpm_event:error] [pid 29112:tid
> 140343038482176] AH00484: server reached MaxRequestWorkers setting,
> consider raising the MaxRequestWorkers setting [Tue Sep 20 10:48:08.134955
> 2022] [mpm_event:error] [pid 23940:tid 140413844547328] AH00484: server
> reached MaxRequestWorkers setting, consider raising the
> MaxRequestWorkers setting
> 
> 
> [root@ustlswh552 logs]# uptime
> 05:08:35 up 72 days,  5:39,  2 users,  load average: 0.22, 0.13, 0.07
> 
> /opt/tomcat/apache-tomcat-8.5.5/logs/localhost.2022-09-16.log
> 
> 16-Sep-2022 15:49:00.672 SEVERE [ajp-nio-8009-exec-117]
> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for
> servlet [ws] in context with path [/thq] threw exception [Request processing
> failed; nested exception is java.lang.OutOfMemoryError: unable to create
> new native thread] with root cause
> java.lang.OutOfMemoryError: unable to create new native thread
> at java.lang.Thread.start0(Native Method)
 


How much memory did you configure for your java environment? --> Xmx Parameter
If the java process eats too much memory, you can write a memory dump when an 
OOM exception occurs.
E.g. with the parameters: -XX:+HeapDumpOnOutOfMemoryError 
-XX:HeapDumpPath=/var/logs/javadump.dmp"
You can also open a JMX port and inspect the memory using during runtime, e.g. 
with VirtualVM https://visualvm.github.io/  

Other options are:
- Activate AccessLog and check the request time. Are they ok or do they take 
too much time?
- Activate tomcat-manager and check the number of active requests and sessions. 
Are they in the expected range?


> 
> **
> 
> 
> # event MPM
> # StartServers: initial number of server processes to start #
> MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept
> spare # ThreadsPerChild: constant number of worker threads in each server
> process # MaxRequestWorkers: maximum number of worker threads #
> MaxConnectionsPerChild: maximum number of connections a server process
> serves
> # before terminating
> 
> StartServers 3
> MinSpareThreads 75
> MaxSpareThreads250
> ThreadsPerChild 50
> MaxRequestWorkers  500
> MaxConnectionsPerChild   0
> 
> 
> 
> Thanks & Regards,
> 
> Priyanka Kumawat | Middleware Admin
> T +91.7879364483
> EMail - priyanka.kuma...@dxc.com
> DL - ams-leveraged-webadmin-offsh...@dxc.com
> 
> DXC Technology
> 
> 
> 
> 
> 
> -Original Message-
> From: Christopher Schultz 
> Sent: 28 September 2022 00:19
> To: Tomcat Users List 
> Subject: Re: MaxRequestWorkers error
> 
> Koustav,
> 
> On 9/27/22 11:09, Naha, Koustav wrote:
> > We have Tomcat and Apache installed in our production environment
> > since
> > 5/6 years. Everything was going fine until we started getting
> > application not responding status from users, upon checking we found
> > out that there was a MaxRequest error as below,
> >
> >   * In Apache log we have found this error.
> >
> > [Tue Sep 20 10:48:08.134955 2022] [mpm_event:error] [pid 23940:tid
> > 140413844547328] AH00484: server reached MaxRequestWorkers setting,
> > consider raising the MaxRequestWorkers setting
> >
> >   * we have seen the below error on tomcat logs
> 
> Your attachment has been removed from the mailing list. Can you please
> provide a text-only description of the problem?
> 
> > We increased 16gb memory on both servers , now we have 32 Gb memory
> in
> > each servers. But the issue still is there.
> 
> You could have 1TiB of memory on your server and it would not solve the
> issue you are reporting.
> 
> > Suddenly we start getting the error and we have to restart Tomcat and
> > Apache.
> >
> > FAQ:
> >
> >  1. 

AW: which missing file prevents tomcat 10 from starting as windows service ?

[Thomas Hoffmann (Speed4Trade GmbH)]

[08]: KB5012170
> 
>[09]: KB5017315
> 
>[10]: KB5012675
> 
>[11]: KB5014031
> 
>[12]: KB5014797
> 
>[13]: KB5015896
> 
> Network Card(s):   1 NIC(s) Installed.
> 
>[01]: vmxnet3 Ethernet Adapter
> 
>  Connection Name: Ethernet0 2
> 
>  DHCP Enabled:No
> 
>  IP address(es)
> 
>  [01]: 10.8.152.76
> 
>  [02]: fe80::654a:bb1c:688b:acd0
> 
> Hyper-V Requirements:  A hypervisor has been detected. Features
> required for Hyper-V will not be displayed.
> 
> 
> 
> 
> 
> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Thursday, September 22, 2022 8:14 AM
> To: Tomcat Users List 
> Subject: AW: which missing file prevents tomcat 10 from starting as windows
> service ?
> 
> 
> 
> WARNING: This email originated outside of the company. DO NOT CLICK links
> or attachments or enter any information into forms unless you trust the
> sender and know the content is safe.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Short note from my side:
> 
> WinsxS is the cache for windows updates.
> 
> You should not copy from that location and also don't mess around with
> windows internal folders 
> 
> 
> 
> Von: Berneburg, Cris J. - US
> mailto:cberneb...@caci.com.INVALID>>
> 
> Gesendet: Donnerstag, 22. September 2022 14:38:35
> 
> An: Tomcat Users List
> 
> Betreff: RE: which missing file prevents tomcat 10 from starting as windows
> service ?
> 
> 
> 
> Hi Again Larry
> 
> 
> 
> Sorry, more guesswork on my part.
> 
> 
> 
> > This file does seem to exist:
> 
> > c:\Windows\WinSxS\amd64_microsoft-windows-wid-
> x86_31bf3856ad364e35_10.0.17763.1_none_a9a257b2f2875ecb\msvcr100.dl
> l
> 
> 
> 
> OT: That seems like a strange location.  Is that the Windows startup cache?
> The file might not be needed anyway.
> 
> 
> 
> > "1:39:55.5108687
> PM","Tomcat10.exe","12464","DeviceIoControl","C:\Windows\System32\ad
> vapi32.dll","NOT FOUND","Control: 0x8696c (Device:0x8 Function:2651
> Method: 0)"
> 
> 
> 
> 1. Like Thomas Hoffmann asked, what's Tomcat's effective PATH variable set
> to?
> 
> 
> 
> If we can't determine what the issue is, perhaps we can figure out what it's
> not.  :-)  IOW, is this a platform, Windows, Java, or Tomcat issue?
> 
> 
> 
> 2. In case I missed it, have you tried a different major version of Java?  
> Earlier
> than 11, vendor other than Amazon (Corretto)?
> 
> 
> 
> 3. Have you tried a major version of TC earlier than 10.0.23?  Are you using
> any "native" components?
> 
> 
> 
> 4. Could there be an overly restrictive Windows access rights issue?
> 
> 
> 
> 5. Is this a VM/EC2 instance or a Docker image?  I'm wondering if there's
> something wonky in the way the computer was configured.
> 
> 
> 
> Again, apologies, as I am not an expert and can only ask generic diagnostic
> questions.
> 
> 
> 
> - Cris B.
> 
> 
> 
> -
> 
> 
> 
> From: Heidt, Larry
> mailto:larry.he...@dematic.com.inva
> LID>>
> 
> Sent: Wednesday, September 21, 2022 6:11 PM
> 
> To: Tomcat Users List
> mailto:users@tomcat.apache.org>>
> 
> Subject: RE: which missing file prevents tomcat 10 from starting as windows
> service ?
> 
> 
> 
> Thanks to everyone who read my initial message, and especially to Thomas,
> Cris, and Chuck for their responses
> 
> 
> 
> Please see the current issue below
> 
> 
> 
> 
> 
> Thomas,
> 
> 
> 
> “Does calling java.exe succeed?”
> 
> 
> 
> The following commons_daemon logging indicates no – is there something
> else to check ?
> 
> 
> 
> [2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] CreateJavaVM Failed
> with error [-1]
> 
> [2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] The system cannot find
> the file specified.
> 
> 
> 
> 
> 
> “use procmon to figure out which file is missing”
> 
> 
> 
> Your excellent ProcMon suggestion (never had used, will again) has enabled
> me to get past this first issue – please see the work-around below
> 
> 
>

AW: which missing file prevents tomcat 10 from starting as windows service ?

[Thomas Hoffmann (Speed4Trade GmbH)]

Short note from my side:
WinsxS is the cache for windows updates.
You should not copy from that location and also don't mess around with windows 
internal folders 

Von: Berneburg, Cris J. - US 
Gesendet: Donnerstag, 22. September 2022 14:38:35
An: Tomcat Users List
Betreff: RE: which missing file prevents tomcat 10 from starting as windows 
service ?

Hi Again Larry

Sorry, more guesswork on my part.

> This file does seem to exist:
> c:\Windows\WinSxS\amd64_microsoft-windows-wid-x86_31bf3856ad364e35_10.0.17763.1_none_a9a257b2f2875ecb\msvcr100.dll

OT: That seems like a strange location.  Is that the Windows startup cache?  
The file might not be needed anyway.

> "1:39:55.5108687 
> PM","Tomcat10.exe","12464","DeviceIoControl","C:\Windows\System32\advapi32.dll","NOT
>  FOUND","Control: 0x8696c (Device:0x8 Function:2651 Method: 0)"

1. Like Thomas Hoffmann asked, what's Tomcat's effective PATH variable set to?

If we can't determine what the issue is, perhaps we can figure out what it's 
not.  :-)  IOW, is this a platform, Windows, Java, or Tomcat issue?

2. In case I missed it, have you tried a different major version of Java?  
Earlier than 11, vendor other than Amazon (Corretto)?

3. Have you tried a major version of TC earlier than 10.0.23?  Are you using 
any "native" components?

4. Could there be an overly restrictive Windows access rights issue?

5. Is this a VM/EC2 instance or a Docker image?  I'm wondering if there's 
something wonky in the way the computer was configured.

Again, apologies, as I am not an expert and can only ask generic diagnostic 
questions.

- Cris B.

-

From: Heidt, Larry 
Sent: Wednesday, September 21, 2022 6:11 PM
To: Tomcat Users List 
Subject: RE: which missing file prevents tomcat 10 from starting as windows 
service ?

Thanks to everyone who read my initial message, and especially to Thomas, Cris, 
and Chuck for their responses

Please see the current issue below


Thomas,

“Does calling java.exe succeed?”

The following commons_daemon logging indicates no – is there something else to 
check ?

[2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] CreateJavaVM Failed 
with error [-1]
[2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] The system cannot find 
the file specified.


“use procmon to figure out which file is missing”

Your excellent ProcMon suggestion (never had used, will again) has enabled me 
to get past this first issue – please see the work-around below


Cris,

“Does the Windows Event Viewer provide any insight into the service failing?”

Only that “The system cannot open the file”, but thanks for the suggestion

“due to a missing msvcr100.dll?”

This file does seem to exist:

c:\Windows\WinSxS\amd64_microsoft-windows-wid-x86_31bf3856ad364e35_10.0.17763.1_none_a9a257b2f2875ecb\msvcr100.dll
c:\Windows\WinSxS\amd64_microsoft-windows-wid_31bf3856ad364e35_10.0.17763.1_none_9870f12fb40ec83a\msvcr100.dll


Chuck,

“JVM options include “exit” and “abort”, which seems rather odd. The JVM may be 
looking for files with those names.”

Thanks, however ProcMon doesn’t show the JVM looking for files with those names 
(also, those options are defined by Tomcat 10)


work-around for “system cannot find the file specified”

Copied several .dll files (identified as “not found” by ProcMon) from 
C:\Windows\System32 to …\apache-tomcat-10.0.23\bin


Current issue:

commons_daemon logging no longer indicates "The system cannot find the file 
specified", however still shows the following errors:

[2022-09-21 13:57:40] [debug] ( javajni.c:419 ) [  184] JNI_GetCreatedJavaVMs...
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[0] 
-Dcatalina.home=c:\Dematic\apache-tomcat-10.0.23
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[1] 
-Dcatalina.base=c:\Dematic\apache-tomcat-10.0.23
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[2] 
-Dignore.endorsed.dirs=c:\Dematic\apache-tomcat-10.0.23\endorsed
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[3] 
-Djava.io.tmpdir=c:\Dematic\apache-tomcat-10.0.23\temp
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[4] 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[5] 
-Djava.util.logging.config.file=c:\Dematic\apache-tomcat-10.0.23\conf\logging.properties
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[6]  
-Dirista.log.dir=C:\Dematic\Foundation\Source\log -DSERVER_ID=Enterprise
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[7] 
--add-opens=java.base/java.lang=ALL-UNNAMED
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[8] 
--add-opens=java.base/java.io=ALL-UNNAMED
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[9] 
--add-opens=java.base/java.util=ALL-UNNAMED
[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] 

AW: which missing file prevents tomcat 10 from starting as windows service ?

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
DLL files from windows/system32 are usually in the search path and don't need 
to be copied.
Could you check your path variable?

Hint: Not every "not found" indicates an error, especially in registry.

Greetings, Thomas

Von: Heidt, Larry 
Gesendet: Donnerstag, 22. September 2022 00:11:20
An: Tomcat Users List
Betreff: RE: which missing file prevents tomcat 10 from starting as windows 
service ?


Thanks to everyone who read my initial message, and especially to Thomas, Cris, 
and Chuck for their responses



Please see the current issue below





Thomas,



“Does calling java.exe succeed?”



The following commons_daemon logging indicates no – is there something else to 
check ?



[2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] CreateJavaVM Failed 
with error [-1]

[2022-09-19 13:09:07] [error] ( javajni.c:828 ) [ 7652] The system cannot find 
the file specified.





“use procmon to figure out which file is missing”



Your excellent ProcMon suggestion (never had used, will again) has enabled me 
to get past this first issue – please see the work-around below




Cris,

“Does the Windows Event Viewer provide any insight into the service failing?”

Only that “The system cannot open the file”, but thanks for the suggestion

“due to a missing msvcr100.dll?”

This file does seem to exist:

c:\Windows\WinSxS\amd64_microsoft-windows-wid-x86_31bf3856ad364e35_10.0.17763.1_none_a9a257b2f2875ecb\msvcr100.dll
c:\Windows\WinSxS\amd64_microsoft-windows-wid_31bf3856ad364e35_10.0.17763.1_none_9870f12fb40ec83a\msvcr100.dll


Chuck,

“JVM options include “exit” and “abort”, which seems rather odd. The JVM may be 
looking for files with those names.”

Thanks, however ProcMon doesn’t show the JVM looking for files with those names 
(also, those options are defined by Tomcat 10)



work-around for “system cannot find the file specified”



Copied several .dll files (identified as “not found” by ProcMon) from 
C:\Windows\System32 to …\apache-tomcat-10.0.23\bin





Current issue:



commons_daemon logging no longer indicates "The system cannot find the file 
specified", however still shows the following errors:



[2022-09-21 13:57:40] [debug] ( javajni.c:419 ) [  184] JNI_GetCreatedJavaVMs...

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[0] 
-Dcatalina.home=c:\Dematic\apache-tomcat-10.0.23

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[1] 
-Dcatalina.base=c:\Dematic\apache-tomcat-10.0.23

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[2] 
-Dignore.endorsed.dirs=c:\Dematic\apache-tomcat-10.0.23\endorsed

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[3] 
-Djava.io.tmpdir=c:\Dematic\apache-tomcat-10.0.23\temp

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[4] 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[5] 
-Djava.util.logging.config.file=c:\Dematic\apache-tomcat-10.0.23\conf\logging.properties

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[6]  
-Dirista.log.dir=C:\Dematic\Foundation\Source\log -DSERVER_ID=Enterprise

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[7] 
--add-opens=java.base/java.lang=ALL-UNNAMED

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[8] 
--add-opens=java.base/java.io=ALL-UNNAMED

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[9] 
--add-opens=java.base/java.util=ALL-UNNAMED

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[10] 
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[11] 
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[12] 
-Djava.class.path=c:\Dematic\apache-tomcat-10.0.23\bin\bootstrap.jar;c:\Dematic\apache-tomcat-10.0.23\bin\tomcat-juli.jar

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[13] exit

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[14] abort

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[15] -Xms128m

[2022-09-21 13:57:40] [debug] ( javajni.c:817 ) [11468] JVM Option[16] -Xmx256m

[2022-09-21 13:57:40] [error] ( javajni.c:828 ) [11468] CreateJavaVM Failed 
with error [-1]

[2022-09-21 13:57:40] [debug] ( javajni.c:1087) [11468] Java worker thread 
finished : with status = 2

[2022-09-21 13:57:40] [error] ( prunsrv.c:1483) [  184] Failed to start Java

[2022-09-21 13:57:40] [error] ( prunsrv.c:1840) [  184] ServiceStart returned 4.

[2022-09-21 13:57:40] [debug] ( prunsrv.c:1123) [  184] reportServiceStatusE: 
dwCurrentState = 1 (SERVICE_STOPPED), dwWin32ExitCode = 1066, dwWaitHint = 0 
milliseconds, dwServiceSpecificExitCode = 4.





Does anyone know what a Tomcat exitCode of 4 means ?



The listing below is current output from ProcMon 

AW: AW: AW: AW: AW: AW: Tomcat 10 with Http2 and compression sometimes closes connection with Firefox

[Thomas Hoffmann (Speed4Trade GmbH)]

Hallo Mark,

thank you for the explanation.
Could you guide me in this case?
Shall I set all logging options in tomcat to trace (logging.properties)?

Thanks! Thomas

> -Ursprüngliche Nachricht-
> Von: Mark Thomas 
> Gesendet: Dienstag, 20. September 2022 22:28
> An: users@tomcat.apache.org
> Betreff: Re: AW: AW: AW: AW: AW: Tomcat 10 with Http2 and compression
> sometimes closes connection with Firefox
> 
> On 20/09/2022 20:22, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello Mark,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Mark Thomas 
> >> Gesendet: Dienstag, 20. September 2022 20:13
> >> An: users@tomcat.apache.org
> >> Betreff: Re: AW: AW: AW: AW: Tomcat 10 with Http2 and compression
> >> sometimes closes connection with Firefox
> >>
> >> On 20/09/2022 17:58, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> >>> Hello Mark,
> >>>
> >>>
> >>> I will send you the log and access-log to your email address.
> >>>
> >>> I am not sure whether it contradicts the observation.
> >>>
> >>>
> >>> For example:
> >>>
> >>> - Browser opens a TCP-connection and requests the HTML page.
> >>>
> >>> - Tomcat sends single packages with HTML via http2-stream no 1.
> >>>
> >>> - Browser requests CSS via http2-stream no 2.
> >>>
> >>> - Tomcat serves HTML via stream 1 and css via stream 2.
> >>>
> >>> - Browser closes stream 2 which triggers tomcat to close the whole
> >>> TCP
> >> connection including stream 1.
> >>>
> >>> - Thus the html stream is also cancelled, leading to a partly
> >>> visible html
> >> page.
> >>
> >> Thomas,
> >>
> >> I can find no evidence of the sequence above in the logs you provided.
> >> In all the cases I could find, the client first reset the stream
> >> sending
> >> 0x08 (cancel) as the reason.
> >>
> >> If you can provide a connection and stream id that exhibits the
> >> behaviour you are describing, I'll be happy to look at it.
> >>
> >> Mark
> >
> > I can record a network trace with wireshark if this helps.
> > The last time I saw that the browser aborts one stream as you described.
> > It shouldn’t close the whole TCP connection, just the stream.
> > I try to get a wireshark dump on weekend.
> 
> Thomas,
> 
> A wireshark trace is unlikely to help. I need the Tomcat debug logs to see
> what is happening internally.
> 
> You need to provide the debug log trace for an instance where Tomcat
> closes the entire connection after the client resets a single stream.
> 
> In all the examples in the previous log, every time there was a stack trace 
> for
> a stream, it was preceeded by the client resetting that stream
> - and hence was normal behaviour.
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org